[Esapi-user] AuthenticationHostException

Kevin W. Wall kevin.w.wall at gmail.com
Mon Feb 28 05:12:32 EST 2011

On 02/27/2011 08:20 PM, Jim Manico wrote:
>> I guess the real question is around the value of this Intrusion Detection
>> Rule (i.e. detecting a host change mid-session)?> Wouldn't you run into
>> problems with AOL proxy and the like if you simply do .equals() checks on IP
>> addresses?
> Definitely! This kind of defense does NOT work in a consumer-facing internet type of app, but often DOES work well in some intranet settings.

This definitely is something that does NOT work on the Internet for the
very reasons cited. Its been discussed in great detail on other lists
(WebAppSec, SC-L, etc.).

It can be useful for intranet, and most likely once everyone cuts over to
IPv6 in the next 20 yrs and NAT starts to die out (there are many who think
that routers, switches, etc. will eventually stop supporting NAT at some
point), it might eventually useful on the Internet again.

I've dealt with IDM systems that try to use this same check, but it is a
bit more flexible. The project that we use allows one to either configure
a specific list of comma-separated trusted proxy IPs or to specific IP
subnets that one trusts as proxies.  If ESAPI isn't going to get that
complicated, then we could just add a property to control whether it is
enabled or not. (But I would argue that it's default is to disable it as I
suspect that most uses of ESAPI--at least the early ones--are more apt to be
Internet facing web applications.)

Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the Esapi-user mailing list