X-FORWARDED-FOR SPOOFING

Feature Value
Type Protection
Risk -
Covered by Agent

X-Forwarded-For header is the facto standard for including client IP address info when a request goes through a proxy. Today it is estimated that 56% of all the applications are using X-Forwarded-For header (carrying the original IP address) in some way.

Most of the uses related with this header are to prevent fraud or to enable access, i.e. you may get a security warning if you try to log to your bank account from a different machine than the one that is usually used. Other systems could use X-Forwarded-For header in combination with .htaccess to enforce access control and have a whitelist that does not require authentication. Another example could be to allow or deny access based on your IP address based on your physical location, which is normally mixed with usage patterns, are you really connecting from Bulgaria?

How to solve it

No matter if these examples are good ideas or not, if X-Forwarded-For is to be used as part of your authentication or authorization scheme, at least the application should try to do its best effort attempt to verify that the header represents the real client IP address or otherwise its authorization may in fact be broken. Validating the input values ( as the could not be trusted) is the first required step.

As always, with security the more sources of information you have the better your security. Combining IP address (in the X-Forwarded-For) with device type, user-agents, and other tidbits automatically carried along in HTTP and network protocols provides a more robust context in which to make an informed decision