Prevent X-Forwarded-For Spoofing or Manipulation

Prevent X-Forwarded-For Spoofing or Manipulation

When using an inline proxy like our ADC-as-a-Service or Web Application and API Protection service, you ’ ll frequently want to know the original client IP address for security, to track in your logs for stats or for other reasons.

In our KB article entitled Getting the original node IP with X-Forwarded-For in your code, we ’ ve already discussed how to enable and capture this information using an HTTP heading called X-Forwarded-For (XFF). But in this article, we ’ rhenium going to discuss an important rationality why you may wish to rename this header to something less common .
In our other articles, we stick with the diligence standard and frequently suggest naming this header X-Forwarded-For because many appliances, systems and servers have functionality built-in to capture this data by out-of-the-box with comfort. And while this might be the easy thing to do, it may not be the most batten. many other cloud providers do not allow you to change the identify of this header, but at Total Uptime, we do, and in here we ’ ll explain why .

The most common X-Forwarded-For header problem

Have you ever seen an X-Forwarded-For HTTP header look like this :
In the above sample, there are two IP addresses in the header. If at first glance you think this is invalid, it ’ s actually not. According to IETF RFC 2616, Section 4.2, multiple proxies between the customer and your server are permitted to simply append the IP to the heading. therefore here, the first IP might be an on-premise proxy, and the 2nd IP is probably the one that the Total Uptime network inserted ( assuming you ’ ve enabled this sport, of course ) .
If your world wide web lotion is coded to plainly grab the first or leftmost IP address in the list, the above is one example where you ’ five hundred be grabbing the faulty one. A non-routable private IP address won ’ t give you any valuable information about the customer. And even if it is a routable IP, do you know that it is the right one ? If you think merely modifying your code to grab the rightmost one from the string is the manner to go, you could besides run into trouble oneself. Do you have another load halter or proxy between entire Uptime and your servers ? If you do, you ’ ll be grabbing the IP of that device !
A number of technical posts online like to recommend writing a script to grab the leftmost IP that is not a secret, non-routable IP address, and there is deservingness to that think, but what about a duplicate proxy ? possibly the like drug user with an on-premise proxy is besides using an Internet proxy to obfuscate his/her whereabouts ? now the first two are not very the ones you want, but preferably it might be the 3rd one .


Because this is an optional header ( and one with X- at the beginning besides, which is supposed to mean it has however to become a standard, but that should be a divide rant and actually something that this IEFT draft recommended be deprecated ), it doesn ’ metric ton evening have to be an IP address ! A exploiter could put garbage in there when making the request. If you ’ ve always played with your browser ’ randomness developer tools, you know that you can specify headers when making requests, so why not specify the X-Forwarded-For header and put something useless in there like “ localhost ” or to be nefarious, an IP address that is legitimate, but not yours. The real spoofer likes to use proxy chaining excessively, and this combination makes it quite difficult to find the real IP.

What if we go the extra sea mile and put in a null byte ? now we ’ rhenium getting into furtive district ! possibly the exploiter very wants the waiter to throw a 400 error so they can fingerprint the underlying function system, fill up the log files or some such. How about setting it to be a string of valid IP addresses, none of which are yours. If your code is configured to grab the 2nd one from the forget, do you know what you ’ rhenium snap up is legalize ?

A Real Solution to Prevent XFF Spoofing

As you can nowadays clearly see, X-Forwarded-For has a total of limitations and vulnerabilities. Well, possibly vulnerabilities is the wrong word, but we can decidedly agree that it could be quite unreliable. So what ’ s the solution ? How about a unlike HTTP header name !
Something that full Uptime supports where early warhead balancers or ADCs do not is allowing you to set any name for that header you want. If you go to the device edit dialogue and specify something different, like TUT-IP ( not a good mind, that ’ s just an easy model ), you can immediately configure your server ( or intermediate proxy ) to look for that alternatively. Why is that crucial ? Because it ’ s alone .

now, when connections are sent from the sum Uptime chopine to your devices, any existing X-Forwarded-For heading is passed along unchanged. The TCP Source IP is then entered into your fresh HTTP Header ( e.g. TUT-IP ) so you can more faithfully determine the actual connect IP savoir-faire to our chopine .

But wait, there’s more!

There are security experts out there who will say this is far from secure, and there is truth to that, but it is intelligibly more difficult to circumvent than the park implementation, and that ’ s the beginning home to start. then these experts will say that they can easily determine what the new HTTP header name is by making an HTTP request with the TRACE method .
And that ’ south dependable, such a scheme might reveal with that fresh HTTP heading name is because the TRACE method acting just echoes back to the customer whatever string has been sent to the server. sol when the nefarious individual sends his request, the load balancer adds the newfangled TUT-IP header and then sends it to the server and the server may oblige and send it back to the nefarious individual .
once the attacker knows what the header is, they can spoof it again. But we ’ ve opinion of that excessively, and if your modern network waiter doesn ’ metric ton have TRACE disabled by default option, you can go into the public face port options in our UI and turn off the HTTP trace method acting. While you ’ re there, you may want to turn off any of the ones you don ’ t need, which should truly only be GET, unless you accept form POSTs besides.


In decision, it ’ randomness quite possible to shore this up and make it far more difficult to spoof the connecting IP cover .
Looking for code samples for obtaining the X-Forwarded-For header ? Check out this article .

If your Cloud provider doesn’t offer customizable X-Forwarded-For capabilities, check out our Cloud Load Balancer!

generator :
Category : Website hosting

Leave a Reply

Your email address will not be published.