[Esapi-user] AuthenticationHostException

Rohit Sethi rklists at gmail.com
Sun Feb 27 17:45:42 EST 2011


I don't actually - I think it has to do with the lines 529-532 from
org.owasp.esapi.filters.SecurityWrapperRequest:

public String getRemoteAddr() {

        return getHttpServletRequest().getRemoteAddr();    }


Which means we're just using the Servlet container's implementation to get
the IP address. In this case I'm using Tomcat 6.

I guess the real question is around the value of this Intrusion Detection
Rule (i.e. detecting a host change mid-session)? Wouldn't you run into
problems with AOL proxy and the like if you simply do .equals() checks on IP
addresses? I would think about scraping this rule for the time being.
Session IP correlation is a tricker problem. Has anyone run into problems
with this rule in their production apps?

On Sun, Feb 27, 2011 at 5:28 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Rohit,
>
> No, this is just problematic code. If you have a fix, care to toss us a
> patch?? Also, please consider the latest rc10
>
> Thanks for pointing this out,
> Jim
>
> > Hi all, I'm playing around with the File Based Authentication in ESAPI
> and I
> > seem to run into a problem and I'm wondering if others have the same
> issue.
> > I'm testing with a simple app running on localhost, and for whatever
> reason
> > the authenticator seems to sometimes use an ipv6 loopback address (::1)
> and
> > at other times it uses an ipv4 loopback address (127.0.0.1). I think
> there's
> > a string .equals() check to see if the IP address changes for a user
> within
> > a session. For example, if I first log in to the app using my browser,
> and I
> > then try to log in afterwards when proxying through Burpsuite I get the
> > following:
> >
> > 02-27 16:32:44 [INFO] [ExampleApplication:Authenticator] - [SECURITY
> SUCCESS
> > Anonymous:null at unknown ->
> 127.0.0.1:8443/ExampleApplication/Authenticator]
> > Password verified for test
> > 02-27 16:32:44 [INFO] [ExampleApplication:DefaultUser] - [SECURITY
> SUCCESS
> > test:759065 at 0:0:0:0:0:0:0:1 ->
> 127.0.0.1:8443/ExampleApplication/DefaultUser]
> > Set last successful login time to Sun Feb 27 16:32:44 EST 2011 for test
> > 02-27 16:32:44 [WARN] [ExampleApplication:IntrusionDetector] - [SECURITY
> > FAILURE test:759065 at 0:0:0:0:0:0:0:1 ->
> > 127.0.0.1:8443/ExampleApplication/IntrusionDetector] User session just
> > jumped from 0:0:0:0:0:0:0:1 to 127.0.0.1
> > org.owasp.esapi.errors.AuthenticationHostException: Host change
> >     at
> >
> org.owasp.esapi.reference.DefaultUser.setLastHostAddress(DefaultUser.java:524)
> >
> > I'm using ESAPI-2.0-RC7-b-Early-Release.jar on Windows 7 with Firefox
> 3.6.
> >
> > I thought about filing a bug but figured I'd ask if this was simply a
> > problem with configuration, an expected response, or a legitimate bug.
> >
> > Thanks,
> >
> >
> >
> > _______________________________________________
> > Esapi-user mailing list
> > Esapi-user at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/esapi-user
>
>


-- 
Rohit Sethi
Security Compass
http://www.securitycompass.com
twitter: rksethi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20110227/190a9521/attachment.html 


More information about the Esapi-user mailing list