Why do you think Dan might not be able to get an interactive session?

Dan is conducting a penetration testing and has found a vulnerability in a Web Application which gave him the sessionID token via a cross site scripting vulnerability. Dan wants to replay this token. However, the session ID manager (on the server) checks the originating IP address as well. Dan decides to spoof his IP address in order to replay the sessionID. Why do you think Dan might not be able to get an interactive session?

Dan is conducting a penetration testing and has found a vulnerability in a Web Application which gave him the sessionID token via a cross site scripting vulnerability. Dan wants to replay this token. However, the session ID manager (on the server) checks the originating IP address as well. Dan decides to spoof his IP address in order to replay the sessionID. Why do you think Dan might not be able to get an interactive session?

A.
Dan cannot spoof his IP address over TCP network

B.
The server will send replies back to the spoofed IP address

C.
Dan can establish an interactive session only if he uses a NAT

D.
The scenario is incorrect as Dan can spoof his IP and get responses

Explanation:
Spoofing your IP address is only effective when there is no need to establish a two way connection as all traffic meant to go to the attacker will end up at the place of the spoofed address.



Leave a Reply 1

Your email address will not be published. Required fields are marked *


seenagape

seenagape

I have the same idea. B