X-Forwarded-For

The X-Forwarded-For (XFF) header is an [[HTTP headers|HTTP header]] field that is used to identify the originating [[IP address]] of a client connecting to a web server through an HTTP [[proxy]] or a [[load balancer]]. This header is a de facto standard for identifying the original IP address of a client when web servers are configured to receive traffic via proxy servers or load balancers.

The primary purpose of the X-Forwarded-For header is to provide a way to track the original client's IP address in web server logs, which is crucial for debugging, security audits, and compliance with legal requirements. When a client makes a request to a server through a proxy, the proxy server adds the client’s IP address to the X-Forwarded-For header before forwarding the request to the server. If there are multiple proxies in the chain, the header can contain a list of IP addresses, each representing a node in the chain.

In the context of penetration testing (pentesting), the X-Forwarded-For header can be used in various ways:

  1. Spoofing IP Address: An attacker or a pentester can modify or spoof the X-Forwarded-For header to simulate requests from different IP addresses. This can be used to test how the server or application handles requests from various locations or to bypass IP-based access controls.
  2. Bypassing Security Measures: Some security measures, like rate limiting or IP-based access control, rely on the IP address. By manipulating the X-Forwarded-For header, a pentester can test whether these security measures are effectively implemented or if they can be bypassed.
  3. Identifying Misconfigurations: The X-Forwarded-For header can be used to identify misconfigurations in proxy servers or load balancers. For example, if a server trusts any IP address in the X-Forwarded-For header without proper validation, it might be susceptible to IP spoofing.
  4. Testing Logging and Monitoring Systems: By using different values in the X-Forwarded-For header, pentesters can check if the logging and monitoring systems are accurately capturing and reporting the original client IP addresses.
  5. Exploring Trust Relationships: In some network architectures, certain actions or accesses might be allowed based on the source IP. Modifying the X-Forwarded-For header can reveal how trust relationships are handled between different network entities.