How to use IpSpoofAttackError #13914

Closed
homakov opened this Issue Feb 1, 2014 · 8 comments

Projects

None yet

3 participants

@homakov
Contributor
homakov commented Feb 1, 2014

When I reflect

render text: request.remote_ip

it returns 123.123.123.123 for following code:

ip="123.123.123.123"
x=new XMLHttpRequest; 
x.open('get','/ip');
x.setRequestHeader('X-Forwarded-for',ip);
x.send()

So I am not sure why we need raise IpSpoofAttackError, how exactly it's supposed to protect me? Probably I must use .ip instead of remote_ip if I don't have a proxy server?

Contributor
homakov commented Feb 1, 2014

If we have a proxy server appending real IP to X-Forwarded-For, IpSpoofAttackError is not helpful.

If we don't have it, IpSpoofAttackError is not helpful too, becuase we can simply set our own X-Forwarded-For w/o Client-Ip.

Can someone please explain how is it helping?

pwnsdx commented Feb 1, 2014

Solution: Use PHP ;)

Contributor
homakov commented Feb 1, 2014

joernchen: this doesn't work.

Since it doesn't work can someone remove that IP spoofing error? It only scares, doesn't mitigate.

pwnsdx commented Feb 1, 2014

#2490 (comment)

This don't work ? @env["REMOTE_ADDR"]

Contributor
homakov commented Feb 1, 2014

@pwnsdx no, and I don't see how it can help in any situation. It's still easy to set X-F-For

zsombor commented Feb 4, 2014

I don't think IpSpoofAttackError protects against anything. From the code:

https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/remote_ip.rb#L149

rails will raise the exception when encounters a request having both the Client-Ip and X-Forwarded-For headers set. Something that is more likely caused by an ill-behaving proxy.

Not that any protection is possible whilst headers can be set from JavaScript.

Contributor
homakov commented Feb 4, 2014

Exactly. Why we need it then? Remote_ip has no benefits, lets use .ip instead.

@homakov homakov closed this Feb 14, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment