1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

X-Forwarded-For Header Trick

Discussion in 'C, C++, C#' started by websicosys, Feb 7, 2010.

  1. websicosys

    websicosys Newbie

    Joined:
    Jan 17, 2010
    Messages:
    39
    Likes Received:
    40
    Home Page:
    Coders, just wanted to give you a heads up about this...

    As many of you know, 80-90% of public proxies add a parameter called "X-Forwarded-For: [IP_Address]" where [IP_Address] is your real IP address. Most major websites check for the presence of this extra header. If they determine that the header is present, usually they will add an extra captcha, or pull some other weird trick.

    Recently I noticed a certain website (that will remain nameless) that checks for the presence of the X-Forwarded-For header. It appears that it goes a step further and determines if the header contains a local IP address (like 10.X.X.X, 192.168.X.X, etc..) and if it does not contain a local IP address, then it counts the action against the IP address present in the header, and not against the IP address that actually sent the request.

    So for example, if I sent this:
    Code:
    POST /submit.php
    (Other Headers)
    X-Forwarded-For: 192.168.5.32
    
    The website will detect that the X-Forwarded-For supplied IP address is a local address, and will count the allowed number of actions against the actual IP address.
    BUT
    What if I send this packet?
    Code:
    POST /submit.php
    (Other Headers)
    X-Forwarded-For: 72.93.23.5
    
    The website will detect that the X-Forwarded-For supplied IP address is a real address, and will try to be slick, and count the allowed number of actions against the supplied IP.

    The trick, obviously, is to send that header, but to use a fake IP address. That way, you don't need any proxies, and you essentially have an unlimited amount of requests. Cool, huh?

    Some tips:
    • Make sure this works. Extensive testing is required to verify that the website is accepting the spoofed IP address.
    • Some websites will actually block you immediately if it detects the X-Forwarded-For header
    • Be careful with this. If the administrator discovers what you've done, they probably won't play nice. Consider doing this on a VPS/VPN or a SOCKS proxy that won't create the header.

    Good luck, coders!
     
    • Thanks Thanks x 8
  2. divinci

    divinci Junior Member

    Joined:
    Sep 25, 2007
    Messages:
    111
    Likes Received:
    15
    hmm thanks for the info... let me get this straight

    so the big G for example... (or another site)

    It has a limit to the number of requests that a single IP can request.

    BUT what if a company proxy has 10K employees behind it? Google has to honour those requests.

    SO!! Google reads the X-Forwarded header, and uses that as a 'IP End Point' if it is a local address...

    SO! crafting your HTTP request, with a 255.0.0.0 subnet = more requests allowed??

    nice....



    can you PM me the site? :) :) pretty please :) :)
     
  3. SpazzyMcSpazz

    SpazzyMcSpazz Regular Member

    Joined:
    Apr 20, 2009
    Messages:
    261
    Likes Received:
    76
    interesting stuff

    edit: sorry, I just realized I was saying essentially the same thing. I think I remember someone saying you could watch hulu.com outside US by spoofing the x-forwarded-for with an US IP. I probably tried it but I'd remember if it worked. This local IP actually sounds legit though.
     
    Last edited: Feb 11, 2010
  4. divinci

    divinci Junior Member

    Joined:
    Sep 25, 2007
    Messages:
    111
    Likes Received:
    15
    And my edit :- a 255.0.0.0 isn't possible

    would be a 255.255.0.0 - maybe conforming to the 10.200.x.x rfc that cisco endources.

    Anyway :- what would be great is to see if php/iss etc classes the x-forward header as the remoteIpEndPoint in any situation... I don't think so but will test when I have time

    but tbh all I am interested at the moment is whether the holy Grail - big g - puts any weight on the header
    Posted via Mobile Device