[Owasp-alabama] Last login from in a web app

owasp-alabama at lists.owasp.org owasp-alabama at lists.owasp.org
Mon Oct 3 11:28:53 EDT 2011


On Oct 3, 2011, at 10:11 AM, owasp-alabama at lists.owasp.org wrote:

> 1 - tracking last logged in IP in a log is clearly valuable in the case of a compromised account, then you know more clearly what IP'd system made the access, instead of just assuming its the person with the password.

While this is good, this should be an administrative control. 

> 
> 2- displaying to the end user provides 2 benefits.
> 	a)  lets nitwits knows that you are tracking, and "can" let them think twice before being stupid
> 	b) shows users where the last access was from, and if they are if they know about the network can identify that someone else may have used the account
> 
> my 2.5 cents.


As an attacker this offers no real security though. 
Also, when the application is logging ip address in this manner other things tend to crop up. 
	.. Blind SQL, XSS ... 

Even though this may make an end user feel fuzzy care should be taken to avoid implementation errors for this especially when this is sighted when it isn't backed by the requirements doc within the application. 

Without this being in a requirements document and it exists within a finding this could easily prompt a developer to develop and not check this thus creating a greater attack surface. 

But in the end I would say weigh your options.... 

| Daniel Uriah Clemens
| Packetninjas L.L.C | | http://www.packetninjas.net
| c. 205.567.6850      | | o. 866.267.8851 
"Moments of sorrow are moments of sobriety"













More information about the Owasp-alabama mailing list