Friday, 20 December 2013

Spoofing X-Forwarded-For... What Happens?

As explained in a previous post, X-Forwarded-For can be used by web servers to detect the use of a proxy server. By comparing the IP address of the client with the IP address in the X-Forwarded-For field, it is possible to say whether the end user is connecting to the server via an HTTP proxy server.

Suppose the end user IP address is x.x.x.x and proxy IP address is y.y.y.y. For the web server's point of view, proxy server is the client with IP address is y.y.y.y. Since the end user is connecting to the web server via the proxy server, the X-Forwarded-For field will have the IP address x.x.x.x when the request reaches the web server. At the web server, if a comparison is made the client IP address (y.y.y.y) is obviously different from the IP address in X-Forwarded-For field (x.x.x.x). Hence this indicates the use of a proxy server.

Now you may think by spoofing the X-Forwarded-For field by setting the value to y.y.y.y (which is the proxy IP) it is possible to hide the use of a proxy server. This is not always true, which can be seen from the following demo Python script.

Output of the above Python script is:

No comments:

Post a Comment