Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IP Spoofing via X-Forwarded-For Header #266

Open
ahpaleus opened this issue Sep 19, 2023 · 0 comments
Open

IP Spoofing via X-Forwarded-For Header #266

ahpaleus opened this issue Sep 19, 2023 · 0 comments
Assignees
@greenpau
Labels
security

Comments

@ahpaleus
Copy link

ahpaleus commented Sep 19, 2023
edited

Severity: Medium

By manipulating the X-Forwarded-For header, an attacker can spoof an IP address used in the user identity module (/whoami API endpoint). This could lead to unauthorized access if the system trusts this spoofed IP address.

HTTP request-response cycle with the injected X-Forwarded-For header:

GET /oauth2/google/authorization-code-callback?state=REDACTED&code=4%REDACTED-REDACTED-0pJfgn3DHsYbipfxJA1w&scope=email+profile+openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&authuser=0&hd=portal-caddysecurity.com&prompt=none HTTP/2
Host: portal-caddysecurity.internal
Cookie: AUTHP_SESSION_ID=REDACTED
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
X-Forwarded-For: 1.3.3.4
Referer: https://portal-caddysecurity.internal/
HTTP/2 303 See Other
Authorization: Bearer REDACTED
Cache-Control: no-store
Location: https://portal-caddysecurity.internal/portal
Pragma: no-cache
Server: Fly/a0b91024 (2023-06-13)
Set-Cookie: access_token=REDACTED; Domain=portal-caddysecurity.internal; Path=/; Secure; HttpOnly;
Set-Cookie: AUTHP_SANDBOX_ID=delete; Domain=portal-caddysecurity.internal; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT;
Date: Wed, 19 Jul 2023 09:33:16 GMT
Content-Length: 0
Via: 2 fly.io
Fly-Request-Id: 01H5PQY91PBMM0W8XWJ2JFBR11-waw

image

To resolve this vulnerability, reimplement the application to not rely on user-provided headers when obtaining a user’s IP address. If user-provided headers are required (e.g., X-Forwarded-For for logging purposes), ensure the header is properly validated (i.e., the value is consistent with IP address format through regular expression) or sanitized (to avoid CRLF log injection attacks, for example).

In addition to this immediate fix, we recommend considering these long-term recommendations:

  • Implement appropriate checks for potential IP spoofing and X- headers on the unit testing level. Consider other headers that can rewrite IP sources.
  • Cover the IP spoofing scenarios and user-provided header processing in Golang’s native fuzz tests.
  • Use the dynamic testing approach with Burp Suite Professional and the Param Miner extension to identify the processing of hidden headers.
  • Expand the caddy-security documentation to increase user awareness of this type of threat; show an example of misconfiguration, how to resolve, and how to test it.

More information about our public disclosure:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@greenpau greenpau

Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@greenpau @ahpaleus