AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Possible Insecure Use of X-Forwarded-For

By manipulating X - Forwarded - For HTTP header value, hackers can access web pages or resources otherwise IP restricted or they can hide their attack footprints by producing log entries containing wrong source IP addresses.

Severity

High

Fix Cost

Medium

Trust Level

Low

When a client connects to a server through a proxy or a load balancer, it’s imperative for an endpoint to use custom HTTP headers to be able to forward the identity of a the connecting client.

X-Forwarded-For (XFF) header is one of the mostly used HTTP header for that purpose. It serves a place where every forwarding node uses to store its direct client’s IP address using a comma as the separator forming a historical HTTP connection path. However HTTP is a text-based standard and it’s super easy to forge any part of it’s content. So a malicious client may send an HTTP request such as below;

                            
GET /authorize HTTP/1.1
Host: myserver.com
X-Forwarded-For: 127.0.0.1
            
            

And the proxies and load balancers (when not configured securely) will put the client’s IP address at the end of the original header when they get the above request. So, the HTTP request becomes;

            
GET /authorize HTTP/1.1
Host: myserver.com
X-Forwarded-For: 127.0.0.1, 123.312.234.432
                

In the code it’s hard to correctly parse the above header to get the original client’s IP address. By forging XFF header in this way the client may reach unauthorized parts of an application, create possible denial of service attacks or forge IP addresses logged. Here’s a code snippet using X-Forwarded-For header for getting source IP address.

            
string addr = Request.Headers["X-Forwarded-For"];
if(addr == null)
{
addr = Request.UserHostAddress;
}
else
{
addr = addr.Split(",")[0];
}

                

Note: The header name “X-Forwarded-For” can be replaced by other names with the same goal;

  • WL-Proxy-Client-IP,
  • Z-Forwarded-For,
  • Source-IP or
  • any other proprietary custom header names

When a client connects to a server through a proxy or a load balancer, it’s imperative for an endpoint to use custom HTTP headers to be able to forward the identity of a the connecting client.

X-Forwarded-For (XFF) header is one of the mostly used HTTP header for that purpose. It serves a place where every forwarding node uses to store its direct client’s IP address using a comma as the separator forming a historical HTTP connection path. However HTTP is a text-based standard and it’s super easy to forge any part of it’s content. So a malicious client may send an HTTP request such as below;

            
GET /authorize HTTP/1.1
Host: myserver.com
X-Forwarded-For: 127.0.0.1
                 
            

And the proxies and load balancers (when not configured securely) will put the client’s IP address at the end of the original header when they get the above request. So, the HTTP request becomes;

            
GET /authorize HTTP/1.1
Host: myserver.com
X-Forwarded-For: 127.0.0.1, 123.312.234.432
                
            

In the code it’s hard to correctly parse the above header to get the original client’s IP address. By forging XFF header in this way the client may reach unauthorized parts of an application, create possible denial of service attacks or forge IP addresses logged. Here’s a code snippet using X-Forwarded-For header for getting source IP address.

            
string addr = request.getHeader("WL-Proxy-Client-IP");
if(addr == null)
{
addr = Request.UserHostAddress;
}
else
{
addr = addr.split(",")[0];
}
                
            

Note: The header name “WL-Proxy-Client-IP” can be replaced by other names with the same goal;

  • X-Forwarded-For,
  • Z-Forwarded-For,
  • Source-IP or
  • any other proprietary custom header names

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!