Friday, 20 December 2013

Spoofing X-Forwarded-For... What Happens?

As explained in a previous post, X-Forwarded-For can be used by web servers to detect the use of a proxy server. By comparing the IP address of the client with the IP address in the X-Forwarded-For field, it is possible to say whether the end user is connecting to the server via an HTTP proxy server.

Suppose the end user IP address is x.x.x.x and proxy IP address is y.y.y.y. For the web server's point of view, proxy server is the client with IP address is y.y.y.y. Since the end user is connecting to the web server via the proxy server, the X-Forwarded-For field will have the IP address x.x.x.x when the request reaches the web server. At the web server, if a comparison is made the client IP address (y.y.y.y) is obviously different from the IP address in X-Forwarded-For field (x.x.x.x). Hence this indicates the use of a proxy server.

Now you may think by spoofing the X-Forwarded-For field by setting the value to y.y.y.y (which is the proxy IP) it is possible to hide the use of a proxy server. This is not always true, which can be seen from the following demo Python script.



Output of the above Python script is:



Monday, 9 December 2013

X-Forwarded-For: Proxy Server Detection

Do you know it may be possible to detect your actual IP address (source IP) even though a proxy server is used? Yes...it is possible most of the time. Please read on and I will tell you how it may be possible.

The X-Forwarded-For (XFF) HTTP header field is used for identifying the originating IP address of a client connecting to a web server through an HTTP proxy (Wikipedia article on X-Forwarded-For HTTP header field). This field, if set/modified by the proxy server, enables a web-server to detect whether a client/browser is connecting directly or via a proxy server.

The following simple python script shows the difference in the HTTP request headers when a programmatic HTTP request is made via a proxy server.



Output of the above Python script is:



As we can see from the output, there is an extra field (X-Forward-For) present in the HTTP request header when the web request is made via an HTTP proxy server. Hence, using this field the web-server can easily identify that this request is made via a proxy server. A simple comparison of the value of 'X-Forward-For' with the source IP of the TCP connection (in this case it is the proxy IP of 65.182.107.98) will reveal the truth.

Note that, I have masked my source IP address (xxx.xxx.xxx.xxx). If you run the above script you will see your actual source IP address (without mask) as the value for the X-Forward-For field.

Check out this informative article on Typosquatting: Typosquatting


Thursday, 5 December 2013

Significance of User-Agent Field: Detection of Automated/Programatic HTTP Requests....!

Suppose you request a webpage using a program, say a Python script. Have you ever wondered whether a web server can differentiate it from a manual request by a user via a web browser, say Firefox. Yes it is possible for the web server to differentiate using various methods. One such method is analyzing the value of the 'User-Agent' field in the HTTP request header from the client.

You can see the difference from the output of the following Python script:

The output of the above script is: