Bypass Blocked IP with the X-Forwarded For Header

Have you blocked by someone? How do you feel? IP is also felt the same when he got blocked by some server or application due to access restrictions.

Good News !! you can bypass the restriction too…

A warm 45(degree temperature)hello to all my security researchers. Today I will be cover, bypassing the restricted IP addresses from any server or web application.

But first, let’s discuss some points.

Sometimes the IP address is used for access control or rate-limiting. If the client is behind a proxy, the proxy forwards the IP address of the client to the server in a specific header, X-Forwarded-For. In some cases, a client can use this header to spoof his IP address.

IP Blocks

Some web applications or servers will restrict access to some IP addresses. This is common to address the administrative operations/interfaces. It is a good idea to restrict this interface to the IP addresses that are known to be used by actual administrators.

The web application will check the <REMOTE _ADDR> value that the webserver passes through to the application to implement this.

Proxies

If the visitor is using a proxy, the REMOTE_ADDR field will contain the proxy address instead of the visitor. To see the visitor’s address, many proxies add a request header with this address. This header is called X-Forwarded-For and contains the IP address of the client that connected to the proxy. The web application can now check the X-Forwarded-For header to determine the client’s IP address.

Bypassing the IP block

The X-Forwarded-For header is usually set by a proxy, but it can also be added by an attacker. By adding your X-Forwarded-For header, the attacker can spoof your IP address. If IP blocking is implemented incorrectly, it can be bypassed by putting an allowed IP address in the header, even if the connection originated from a blocked IP address.

Here are some examples of projects that rely on the X-Forwarded-For header. Note that this does not always indicate a vulnerability. There are some configurations that the X-Forwarded-For header can be trusted, for example, if it is set by a reverse proxy on the same host as the web application.

• Moodle
• JSPWiki
• ultra-throttle
• linkto
• EpochTalk

Solution

When using an IP block, a good approach is to check all given IP addresses against the block. Deny access if either REMOTE_ADDR or X-Forwarded-For matches the IP block. This also makes it harder for somebody to bypass the block by using a proxy.

If this is not possible, the application should be configured to either trust or ignore the X-Forwarded-For header.

Do CLAP if you find this blog useful.

Contact me :

LinkedIn 😄:https://www.linkedin.com/in/raja-nagori/

Twitter 😄: https://twitter.com/RajaNagori7