Trusting self-reported IP address
From OWASP
Overview
The use of IP addresses as authentication is flawed and can easily be spoofed by malicious users.
Consequences
- Authentication: Malicious users can fake authentication information, impersonating any IP address
Exposure period
- Design: Authentication methods are generally chosen during the design phase of development.
Platform
- Languages: All
- Operating platforms: All
Required resources
Any
Severity
High
Likelihood of exploit
High
Avoidance and mitigation
- Design: Use other means of identity verification that cannot be simply spoofed.
Discussion
As IP addresses can be easily spoofed, they do not constitute a valid authentication mechanism. Alternate methods should be used if significant authentication is necessary.
Examples
In C/C++:
sd = socket(AF_INET, SOCK_DGRAM, 0);
serv.sin_family = AF_INET;
serv.sin_addr.s_addr = htonl(INADDR_ANY);
servr.sin_port = htons(1008);
bind(sd, (struct sockaddr *) & serv, sizeof(serv));
while (1) {
memset(msg, 0x0, MAX_MSG);
clilen = sizeof(cli);
if (inet_ntoa(cli.sin_addr)==...)
n = recvfrom(sd, msg, MAX_MSG, 0,
(struct sockaddr *) & cli, &clilen);
}
In Java:
while(true) {
DatagramPacket rp=new DatagramPacket(rData,rData.length);
outSock.receive(rp);
String in = new String(p.getData(),0, rp.getLength());
InetAddress IPAddress = rp.getAddress();
int port = rp.getPort();
if ((rp.getAddress()==...) && (in==...)){
out = secret.getBytes();
DatagramPacket sp =new DatagramPacket(out,out.length,
IPAddress, port);
outSock.send(sp);
}
}
