[Esapi-user] AuthenticationHostException

Jim Manico jim.manico at owasp.org
Sun Feb 27 20:20:10 EST 2011


> I guess the real question is around the value of this Intrusion Detection
> Rule (i.e. detecting a host change mid-session)?> Wouldn't you run into
> problems with AOL proxy and the like if you simply do .equals() checks on IP
> addresses?

Definitely! This kind of defense does NOT work in a consumer-facing internet type of app, but often DOES work well in some intranet settings.

- Jim

> I don't actually - I think it has to do with the lines 529-532 from
> org.owasp.esapi.filters.SecurityWrapperRequest:
> 
> public String getRemoteAddr() {
> 
>         return getHttpServletRequest().getRemoteAddr();    }
> 
> 
> Which means we're just using the Servlet container's implementation to get
> the IP address. In this case I'm using Tomcat 6.
> 
> I guess the real question is around the value of this Intrusion Detection
> Rule (i.e. detecting a host change mid-session)? Wouldn't you run into
> problems with AOL proxy and the like if you simply do .equals() checks on IP
> addresses? I would think about scraping this rule for the time being.
> Session IP correlation is a tricker problem. Has anyone run into problems
> with this rule in their production apps?
> 
> On Sun, Feb 27, 2011 at 5:28 PM, Jim Manico <jim.manico at owasp.org> wrote:
> 
>> Rohit,
>>
>> No, this is just problematic code. If you have a fix, care to toss us a
>> patch?? Also, please consider the latest rc10
>>
>> Thanks for pointing this out,
>> Jim
>>
>>> Hi all, I'm playing around with the File Based Authentication in ESAPI
>> and I
>>> seem to run into a problem and I'm wondering if others have the same
>> issue.
>>> I'm testing with a simple app running on localhost, and for whatever
>> reason
>>> the authenticator seems to sometimes use an ipv6 loopback address (::1)
>> and
>>> at other times it uses an ipv4 loopback address (127.0.0.1). I think
>> there's
>>> a string .equals() check to see if the IP address changes for a user
>> within
>>> a session. For example, if I first log in to the app using my browser,
>> and I
>>> then try to log in afterwards when proxying through Burpsuite I get the
>>> following:
>>>
>>> 02-27 16:32:44 [INFO] [ExampleApplication:Authenticator] - [SECURITY
>> SUCCESS
>>> Anonymous:null at unknown ->
>> 127.0.0.1:8443/ExampleApplication/Authenticator]
>>> Password verified for test
>>> 02-27 16:32:44 [INFO] [ExampleApplication:DefaultUser] - [SECURITY
>> SUCCESS
>>> test:759065 at 0:0:0:0:0:0:0:1 ->
>> 127.0.0.1:8443/ExampleApplication/DefaultUser]
>>> Set last successful login time to Sun Feb 27 16:32:44 EST 2011 for test
>>> 02-27 16:32:44 [WARN] [ExampleApplication:IntrusionDetector] - [SECURITY
>>> FAILURE test:759065 at 0:0:0:0:0:0:0:1 ->
>>> 127.0.0.1:8443/ExampleApplication/IntrusionDetector] User session just
>>> jumped from 0:0:0:0:0:0:0:1 to 127.0.0.1
>>> org.owasp.esapi.errors.AuthenticationHostException: Host change
>>>     at
>>>
>> org.owasp.esapi.reference.DefaultUser.setLastHostAddress(DefaultUser.java:524)
>>>
>>> I'm using ESAPI-2.0-RC7-b-Early-Release.jar on Windows 7 with Firefox
>> 3.6.
>>>
>>> I thought about filing a bug but figured I'd ask if this was simply a
>>> problem with configuration, an expected response, or a legitimate bug.
>>>
>>> Thanks,
>>>
>>>
>>>
>>> _______________________________________________
>>> Esapi-user mailing list
>>> Esapi-user at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/esapi-user
>>
>>
> 
> 



More information about the Esapi-user mailing list