The X-Forwarded-For (XFF) HTTP header field is used for identifying the originating IP address of a client connecting to a web server through an HTTP proxy (Wikipedia article on X-Forwarded-For HTTP header field). This field, if set/modified by the proxy server, enables a web-server to detect whether a client/browser is connecting directly or via a proxy server.
The following simple python script shows the difference in the HTTP request headers when a programmatic HTTP request is made via a proxy server.
Output of the above Python script is:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import lxml.html as lh | |
| import urllib2 | |
| url = "http://www.murl.mobi/headers.php" | |
| http_headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; rv:25.0)" + | |
| "Gecko/20100101 Firefox/25.0"} | |
| request_object = urllib2.Request(url, None, http_headers) | |
| xpath_s = "/html/body/table/tr[2]/td/table/tr/td[2]/div[2]/text()" | |
| doc = lh.parse(urllib2.urlopen(request_object)) | |
| headers = doc.xpath(xpath_s) | |
| print 'Output of the first request without the use of a proxy server' | |
| print '\n'.join(headers) | |
| #Installing proxy server details to be used by urllib2 | |
| proxy = urllib2.ProxyHandler({'http': '65.182.107.98:3128'}) | |
| opener = urllib2.build_opener(proxy) | |
| urllib2.install_opener(opener) | |
| doc = lh.parse(urllib2.urlopen(request_object)) | |
| headers = doc.xpath(xpath_s) | |
| print 'Output of the first request with the use of a proxy server' | |
| print '\n'.join(headers) |
Output of the above Python script is:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Output of the first request without the use of a proxy server | |
| Accept-Encoding: identity | |
| Host: www.murl.mobi | |
| Connection: close | |
| User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:25.0) Gecko/20100101 Firefox/25.0 | |
| Output of the second request with the use of a proxy server | |
| Accept-Encoding: identity | |
| Host: www.murl.mobi | |
| Connection: close | |
| User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:25.0) Gecko/20100101 Firefox/25.0 | |
| X-Forwarded-For: xxx.xxx.xxx.xxx |
As we can see from the output, there is an extra field (X-Forward-For) present in the HTTP request header when the web request is made via an HTTP proxy server. Hence, using this field the web-server can easily identify that this request is made via a proxy server. A simple comparison of the value of 'X-Forward-For' with the source IP of the TCP connection (in this case it is the proxy IP of 65.182.107.98) will reveal the truth.
Note that, I have masked my source IP address (xxx.xxx.xxx.xxx). If you run the above script you will see your actual source IP address (without mask) as the value for the X-Forward-For field.
Check out this informative article on Typosquatting: Typosquatting
No comments:
Post a Comment