[Owasp-appsensor-project] Change to Detection Points - SE5 Source IP Address Changes During Session

Ryan Barnett rcbarnett at gmail.com
Fri Jun 11 16:47:48 EDT 2010

We need to make sure that it is clear as to what the purpose/goal is for each detection 
point.  There are a number of new detection items that Colin sent (this one, change in 
User-Agent string, etc...) whose real goal is to try and alert when we think that there 
may be an indication of some sort of Session Hijacking attack occurring.  Flagging changes 
to IP (network block) or User-Agent value is easy to do however it also may be prone to 
false positives and negatives.  We actually have just added this type of Session Hijacking 
detection to the latest ModSecurity CRS v2.0.7.  

Perhaps there should be a parent category for Fraud Detection?

Ryan C. Barnett
WASC Web Hacking Incident Database Project Leader
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security

On Thursday 10 June 2010 03:38:11 Colin Watson wrote:
> John
> Thank you for getting the discussion going and your good questions.
> > just need a bit more info here - is the intention to allow a user to
> > switch IPs as long as it's in the same range and / or ASN and be
> > considered ok?
> I'm not sure how "prescriptive" the controls are meant to be.  If
> developers roll their own code, they could perhaps choose any one of
> these three to suit their application.  For example, if it was an
> intranet, a fixed IP might be reasonable.  An online shop may want to
> be a bit more flexible to cater for users whose IP addresses change
> during their session by use of a proxy.
> Do we need to consider X-Forwarded-For here too?
> Colin
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project

More information about the Owasp-appsensor-project mailing list