3

A friend of mine had a job interview and was asked few multichoice questions. One of the question was

Which of those can be manipulated on client side: cookie data, session data, remote ip, user agent

I'd say that session is the only one you cannot mainpulate (I mean, you can hijack it etc but you cannot change it's data as questions suggests)

What do you think?

Sebastien C.
  • 4,649
  • 1
  • 21
  • 32
vault-boy
  • 523
  • 1
  • 6
  • 18

2 Answers2

3

Cookie data and user agent can obviously be manipulated at will.

Just like you said session data itself can't be manipulated, you can only hijack sessions, steal the cookies used to associate a user with a session,...

Remote IP is a difficult call. Since http is based on TCP you can't fake arbitrary remote IPs. You can hide your real IP using proxies. But to fake another IP you need to be able to receive packets addressed to that IP. And you usually can do that only if you're part of the route to that IP. Related old question Application Security Concerns: How easy is it to fake an IP-Address?

Community
  • 1
  • 1
CodesInChaos
  • 106,488
  • 23
  • 218
  • 262
  • You can also manipulate the X-Forwarded-For Header in the HTTP request. You can basically use any IP and some scripts/websites will believe that this is actually the client's IP. This way, you could actually say you're localhost (127.0.0.1) and even iptables won't be able block the request because the IP address the real destinator is a valid address from the internet. (i.e. never, ever trust X-Forwarded-For). – Matt3o12 Sep 30 '14 at 20:46
  • @Matt3o12 In my answer I was talking about the TCP/IP level remote IP. `X-Forwarded-For` should be trusted iff it has been added by a trusted (reverse) proxy. That's why code that checks if the header is present and defaults to the lower level IP if not is broken by design. Either you have a trusted proxy, or you don't. – CodesInChaos Oct 01 '14 at 07:58
  • @CodeslnChaso I just know only site that used that trying to prevent "scammers" that use proxies :) – Matt3o12 Oct 01 '14 at 20:04
2

Cookie data and user agent can are fully client-provided, i.e. can be manipulated.

IP address can be spoofed (with local access and/or technical and organizational know-how), but it will always be in a valid format, i.e. never an arbitrary string.

Session data is managed by the server itself, and cannot be manipulated. However, an attacker may associate with a different session, for example by capturing the cookie of another user.

phihag
  • 278,196
  • 72
  • 453
  • 469