Dan is conducting penetration testing and has found a vulnerability in a Web Application which
gave him the sessionID token via a cross site scripting vulnerability. Dan wants to replay this
token. However, the session ID manager (on the server) checks the originating IP address as well.
Dan decides to spoof his IP address in order to replay the sessionID. Why do you think Dan might
not be able to get an interactive session?
A.
Dan cannot spoof his IP address over TCP network
B.
The scenario is incorrect as Dan can spoof his IP and get responses
C.
The server will send replies back to the spoofed IP address
D.
Dan can establish an interactive session only if he uses a NAT
C is the Ans.