I am currently working through the PortSwigger Academy LABs. There was one LAB where you had to alter the IP-address in order to bypass the log-in cool off. The solution was to add the X-Forwarded-For header and add a different IP-address every single try. I figured that I could use any value as IP-address, and I would not get any error. I am curious to know why that is possible. Is it the recipients fault, or does the X-Forwarded-For header simply does not care what kind of value you give it?
enter image description here
Related
Good evening everyone,
I have developed a web app for our school that is loaded into a kiosk app on ChromeOS and Windows so that students can take digital tests and exams in a protected environment.
The web app also allows you to consult sources, these sources are links to, for example, a news site, wikipedia, you name it..
Unfortunately, many external links do not work because they are loaded into the web app via iFrame. And nowadays many websites do not allow this by passing this in the headers such as x-frame options.
I had hope at https://github.com/niutech/x-frame-bypass but unfortunately it no longer works.
I also come to the conclusion that a reverse proxy could offer a solution here, but I have no experience with this and research does not make it any easier for me. Or are there even better/other solutions?
As a test I was able to realize through the following that google.be can be loaded within an iFrame, however I encounter 2 problems that I hope I can find a solution for this way.
Issue 1: Images and CSS not loading
The content links to the proxy server, of course that content does not exist on the reverse proxy server.
Issue 2: Every teacher can create exams/tests with their own external sources, it is impossible to add all those external URLS to the reverse proxy every time
That's why I thought of getting the url for the proxy_pass from the url of the reverse proxy url.
Reverse proxy url: http://sitekiosk.xyz/bypass/google.be
google.be gets used in the proxy_pass
Reverse proxy url: http://sitekiosk.xyz/bypass/wikipedia.be
wikipedia.be gets used in the proxy_pass
And so on...
location /bypass {
proxy_set_header Host www.google.be;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://google.be/;
proxy_hide_header Content-Security-Policy;
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "ALLOWALL";
}
Is this technically possible? Can someone help me with this?
Thank you in advance for taking the time to go through this!
My apologies for my Google Translate English :-)
I've tried using an x-forwarded-for header with IP addresses from Mexico, London, etc... I've used the google sensor tool to change my IP but Marklogic somehow sees through those techniques when I log the results of this function xdmp:get-request-client-address.
Because xdmp:get-request-client-address() returns
the internet address of the client from which the HTTP server request
is issued
If you want the value of the x-forwarded-for header, then use xdmp:get-request-header(). You can use the request client address as a default value in case that header is not found:
xdmp:get-request-header("x-forwarded-for", xdmp:get-request-client-address())
We have many layers before Kong server.
How can we use the plugin rate-limiting to limit requests by every enduser's client IP?
I want the plugin rate-limiting to read the header X-Forwarded-For to get the users real IP. But I think it is using $remote_ip by rate-limiting.
Any suggestions?
For example, I have two servers in the same network, with identical code/software. If the primary server goes down, I want the second one to become primary.
I heard about the following approaches:
Run a proxy server (nginx/haproxy/etc.) in front of these two.
Run CARP - Common Address Redundancy Protocol.
Round-robin DNS.
What are the pros and cons of the above approaches? And what are the best practices to achieve this?
I'm not too familiar with CARP but I can try to help with the remaining two options:
Round-Robin DNS gives you load balancing but if a server fails it will still receive requests (which will fail too)
i.e : the DNS www.example.com points to both x.x.x.1 and x.x.x.2 if x.x.x.2 dies the DNS will still be resolved to x.x.x.2 and clients will still try to request from it, so this brings your fail rate to half your requests during the downtime (not good)
Even if you change the DNS to point to only x.x.x.1 during the downtime; DNS propagation will take long and you will still loose requests.
In my honest opinion placing a load balancer (proxy server) in front of your stack is the only way to go
I'm really fond of HAProxy but its by no means the only solution (find what works for you)
Proxy-Servers gives you a lot more control over your application stack in the form of High Availability (HA)
you can load balance between 2 to N backend servers and loose any number of them and still be running.
you can schedule downtime anytime of the day to do maintenance or deployments and not influence your clients.
Built in health checks poll the backend servers and take them out of the load as needed and place them back when they've recovered.
The cons to HA Load Balancing is usually the number of rules that have to be setup in order to keep sessions correct or routing of special cases. yes it can get complex but there is A LOT of support in the community and its easily learn-able.
another con to HA Load Balancing is that the proxy server itself become a single point of failure but this can be overcome easily with heartbeatd and a second proxy server.
Hope this answers some of your questions
A good way for making your apps fault tolerant would be using nginx as your load balancer. You can make a config like
upstream some_name {
server server_ip;
server server_ip2;
};
server {
listen 80;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://some_name
}
}
plus this nginx upstream object takes further flags like max_fails=10 fail_timeout=20s and is smart enough to know if one server goes down, it switches to the next server that's online and so much more than that.
Please check this official nginx website for more information about it.
Where can I find a definition for the X-Forwarded-For HTTP header? Most sites refer to the Wikipedia site. Here the X-Forwarded-For format is described as X-Forwarded-For: client, proxy1, proxy2. I'm curious what valid strings for one entry can be. Are following examples valid entries?
192.0.2.60
192.0.2.60:58074
2001:db8:cafe::17
[2001:db8:cafe::17]:47011
"[2001:db8:cafe::17]:47011"
There is none as it is a non-standard header that cannot be found through the message header registry. So your examples are all valid if you decide them to be valid.
If you want to go by a standard, RFC 7239 is providing a standardized mechanism in place of X-Forwarded-For and X-Forwarded-Proto.
This has already been discussed here: What is a full specification of X-Forwarded-Proto HTTP header
You can also have a look at section 7.4 of rfc7239.