I am trying to determine possible vulnerabilities in a possible site implementation.
We need to be able to determine if the user is logging into the site from an local IP address or external. I know the IP address can be spoofed, though the spoofer won't be able to get much information.
I was thinking it could be possible for a person to spoof a local IP, perform a post action to modify data the server, though this would be difficult (predicting sequence numbers).
If the site used validation tokens on all post request, this might help. In particular I am using .Net MVC 4's AntiForgeryToken. I am not sure how the token is keyed to the user.
My question is if the spoofer went to a page normally to get the token, then spoofed his IP and used the token to do a post, would this succeed?
I know we're getting into the realm of the implausible, but ... Maybe an example might help. Lets say when a user logs in the application detects the IP (not using the HTTP_X_FORWARDED_FOR) and sets the session as local or remote. Could a malicous user load the login screen, get the token, spoof their IP address (assume they are able to determine the sequence number and post), then post the login with that IP address setting them as local?
Any insight would be appreciated.
Thanks,
Phillip
Your site's firewall should block anything with a source IP in your address block, to prevent IP spoofing in the first place.
Related
using email analysis we can find senders IP address through some tools only if they are from different domains like senders sends from yahoo mail to gmail user.
How to find senders IP if they are from same domain?
example:
from: abcd#gmail.com
to : wxyz#gmail.com
while in email analysis iam getting senders IP as google servers IP
What you can actually achive with any tools depends very much on whose IP address you want to find out:
If you want to get the address of the client, on which a user probabply typed the email and from which it was transferred to its provider's Mail User Agent (MUA), forget it. As long as you are not a government with the appropriate court decision or very good friends with the server operator, the latter one will not give you even slightly sensitive information about its clients, also not the IP address.
If you want the IP address of the MUA of the client's mail service provider, you have much better chances. Assuming that the from field is correct, then just check out which addresses this provider uses. Gmail has probably a lot of various server machines and I think you might not find the exakt IP of the server the sender's client connected to. If the from field is manipulated (junk mail), Gmail's Mail Transfer Agent (MTA) will probably reject the mail, so that it will never arrive in your inbox anyway.
The sender and the recipient may use different mail service providers, in that case your provider's admin could have a look into the server's log files to find out from which IP address the recipient's provider's MTA was connected. However, usually this is absolutely irrelevant, as long we are dealing with two respectable organizations. Also you explicitly mentioned that in this scenario, it is one and the same provider.
Finally, you can find out the address of your own MUA, but I think that has nothing to do with the author of the email.
So, in conclusion: technically you can't. The only really interesting information is the address of the client used by the author of the email. Google is a respectable enough company to never ever give this information to you, except if the sender's mail client explicitly wrote it into the mail header, which it probably never will.
If you want the IP address because of criminal activity or any kind of abuse by the sender, just contact Gmail. If that does not help, file a lawsuit. The latter one may actually take a long breath until you (may!) be successful, so be sure if your situation is really that bad.
However, if you have a lot of criminal energy you could use the more general metadata from the header to create a profile of the sender's client, like which client software of which version he*she uses and more. But I think this is going to be very, very much work until you get more relevant information (and it should be).
It would actually be very helpful to have a few more information on your scenario, e.g. what you need the address for, if you really mean the client's address or the mail provider's server address, how much work you are willing to invest and also which kind of mail service provider we are talking about. If you run your own mail server, you suddenly gain access to a lot of interesting information...
Feel free to clarify your needs, so maybe someone can help you better. Also, I hope I didn't hit you with too many words, I am new and excited about stackoverflow ;)
I have a webserver which only allows downloading of files when you pass along a token on the querystring. This token (basically a hash) is compared to the hash result of the filepath + remote ip.
This has worked perfectly! However since a project of mine has gained more public interest obscure issues have started to show.
People retrieve the signed urls from an API. API load balances the request and returns a valid URL for the requesting IP. However, some people have some really funky network setups and can basically change their IP address from request to request! Eg. Some university networks route all internet through a loadbalanced proxy.
This is very problematic... I have been trying to come up with an alternative but I'm kinda stuck. The only thing I can come up with is an expiring link instead which is not IP bound but that brings other kinds of issues.
What kind of options do I have other than expiring URLs? What could I do to still use the IP based system? I cannot trust proxy headers. I need to work with information the users cant directly manipulate...
I have also thought about generating a token for an IP range instead. But its not ideal and only solves the problem when the IPs are within range (of which I have already seen cases). So I'm stuck at the moment.
Would love to read about what you guys might suggest.
What you are after is impossible I'm afraid.
You basically want to authenticate a user (the person) without.. well, authenticating the user. Anything you have in the request can be forged by the client, which means another client can make the very same request whatever you do, as long as clients cooperate and share data. The only difference that is somewhat harder to forge over TCP is the client IP, which on the other hand changes sometimes as you also noted.
So there is no cryptographic (=reasonably secure) solution.
If you want to make it somewhat harder for an attacker and your clients are browsers, you can try fingerprinting the browser. That's suprisingly accurate in many cases, but obviously can also be forged. It does raise the bar a bit for people trying to share links though.
I am curious how I could detect a users DNS servers from my website. Is there any way to know? Any possible way?
No. By the time the user initiates the request to your server, the DNS lookup is already finished (or they wouldn't know the address of your server).
I suppose it's theoretically possible to abuse Javascript or other content in order to breach the security of the user's machine and try to fetch its configuration data, but I doubt you will get much help with that here.
Several platforms offer security mechanisms to identify if a user ever logged in from a certain device. If you login from a computer you never did they'll ask you special questions on login. How do they recognize a device? Is this only be geo localization (which would not cover multiple devices in the same region, would it?). Or only with cookies which would cause trouble on cookie cleanup.
As far as I know, cookies is really the only way you can do this. The server stores whatever information it can about your device it can get from the browser in a cookie. By geo-location I assume you mean the location of the IP address.
The ones I've seen do this are all based on cookies and do cause trouble if users delete their cookies.
Doing this by IP address would cause headaches for anyone behind a web-proxy or shared connection. It would also be painful for mobile users in transit where the gateway is changing based on cell tower connections. Geolocation would also present problems for mobile users in transit.
In some cases, you might want to block hacker from your system by using IP addresses.
However, sometime it is more difficult due to existent of ISP proxy.
From the view of system, we see many traffic/connection/burceforce/wrong password from same IP meanwhile it could be a HTTP proxy or IPv6 gateway or similar. But it might not smart enough to tell is that normal or abnormal.
What's the suggested way to block those bad access without degrade user experience(e.g. too many captcha) to whom are innocent?
Don't know if you consider this "Degrading user experience" But you can code MAX_TRIES for the login to give the user only few tries -to login then if all tries are wrong he is blocked from logging for a while- to prevent Brute forcing the login.
And for other connection you can install mod_bw for apache then limit the connection limit per IP using this htaccess command
MaxConnection all 3
You should limit the login rate for each UserId.
After X mistakes, you can block a UserId till the user will reply to a special e-mail. This way, the user will also know that someone is trying to log into his account.
You can map source IP address into a specific country, and allow a user to log-in only from a predefined list of countries (user selection).
You can temporarily block a group of IP addresses (for example 172.16.254.*) if there are many false attempts from the same group. Many hackers just change the last octet.