ntp published an interesting conversation today on sla.ckers.org discussing IP trust relationships that web applications often have. It might sound crazy that one site should trust anything at all, but I’ve seen countless examples where certain IPs are simply ignored by security systems, purely because they are believed to be secure. First of all, insiders represent a majority of corporate hacks. Secondly, every day, on this website and on sla.ckers.org we are finding IPs that are untrustworthy, regardless of the brand associated with them.
To elaborate on ntp’s thoughts, let me give you a 95% real world scenario that I’ve actually seen. There is an online credit card processor that actually uses IP based authentication for adding user accounts to your database. Not only is that scary, but it’s highly probable that the usernames could include SQL injection. Not because the credit card processor would allow that through, but because the scripts that run on your server trust whatever is sent through the credit card processor. Now let’s assume for a second that the credit card processor’s machine is a windows box, and runs a remote desktop.
Someone at that company could easily be subverted into clicking a link (I tell them that for some reason I can’t get a connection between their server and my own so they must log in to verify it). When they click the link, it performs actions on their behalf (beyond connecting to my machine). Normally that wouldn’t be a big deal. They aren’t authenticated to anything, and they may have never used that account before. However, because of IP trust relationships between their IP and every one of the merchants that they service, I now can add user accounts to as many accounts as I can reasonably do in the time the browser is left open. Not only that, but I can do SQL injection and pull other user accounts, delete databases or whatever I choose to the database.
Suddenly the trust relationship has allowed major security issues, due to the privileged nature of the credit card processor. Nasty. There are all sorts of these IP based trust relationships on the Internet, because there is really no other good way to know who a user is before they have authenticated. Nasty, and a very overlooked attack vector.