Client IP pit of X-Forwarded-For

Enterprise 2023-10-01 10:59:55 views: null

X-Forwarded-For定义

This definition, just in case anyone browses this post and sees it, but I think we're all set:

X-Forwarded-For: <client>, <proxy1>, <proxy2>

        This is what you see on basically every page that describes the title. X-Forwarded-ForIs it any wonder that misuse is so common?

X-Forwarded-ForHeader not trusted

        First and foremost, you must always be aware that any XFF IP that is added (or appears to be added) by any proxy that is not under your control is completely unreliable . Any proxy can add, remove, or modify headers any way they want. The client can also initially set the header to whatever it wants to get the spoof ball rolling. For example, if you make this request to AWS Load Balancer 2 …

curl -X POST https://my.load.balanced.domain/login -H "X-Forwarded-For: 1.2.3.4, 11.22.33.44"

...the servers behind the load balancer will get the following:

X-Forwarded-For: 1.2.3.4, 11.22.33.44, <actual client IP>

and this:

curl -X POST https://my.load.balanced.domain/login -H "X-Forwarded-For: oh, hi,,127.0.0.1,,,,"

...will give you this:

X-Forwarded-For: oh, hi,,127.0.0.1,,,,, <actual client IP>

        As you can see, everything that is already there is just passed, unchanged and unvalidated. The final actual IP is just appended to the existing IP.

        (In addition to curl'ing and custom clients, there is at least one Chrome extension that allows you to set XFF headers in browser requests. But how you set the headers is not important to us, the only thing that matters is An attacker can do it.)

Summarize

        For specific instructions, refer to: The perils of the “real” client IP | adam-p

Let’s summarize some of the things we learned, the wisdom we gained, and the perspectives we developed:

  • When deriving the "real client IP address" from the header X-Forwarded-For, use the rightmost IP in the list.

  • The leftmost IP in the XFF header is often considered "closest to the client" and "most authentic", but it can be easily spoofed . Don't use it for anything security related.

  • When selecting the rightmost XFF IP, be sure to use the last instance of that header.

  • It might be fine to use a special "real client IP" set by a reverse proxy (such X-Real-IPas exists)/spoofing, and c) how you configure the reverse proxy (sometimes).True-Client-IP

  • Any header not specifically set by your own reverse proxy is not trusted . For example, if you are not behind Nginx or something else that always sets headers, you must not check the headers because you will read spoofed values.X-Real-IP

  • Many rate limiter implementations use spoofable IPs and are vulnerable to rate limiter escape and memory exhaustion attacks.

        If you are using a "real client IP" anywhere in your code or infrastructure, you need to immediately check how to derive it.

        Avoid saying you should only use the rightmost XFF IP and never the leftmost IP. But, seriously, don't use it.

Guess you like

Origin blog.csdn.net/yangyangye/article/details/132739704
Recommended
Ranking
ElasticSearch-- data modeling best practices
Permission Maintenance - Shadow User Backdoor
Refactor the code using MVP mode
Quantitative investment-fundamental model-PVC multi-factor model
Spark Big Data Processing Lecture Notes 3.2 Mastering RDD Operators
Blazor page components (2)
Erlernen von Kenntnissen zur Android-Entwicklung – Kodierung, Verschlüsselung, Hash, Serialisierung und Zeichensätze
About Qi high in JAVA study notes SORM summary detailed personal explanation
Will you calculate the accuracy of the rope displacement sensor in the measurement?
OPENJTAG debugging learning (3): debugging using the gdb command line
Daily
More
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)

Code World

© 2018 codetd.com