Kevin Froman's blog

Blog on security, programming, & other musings

Do Not Trust X Forwarded For

2016-08-24

What Is X-Forwarded-For?

X-Forwarded-For and similar headers are not official, but they are the de-facto standard client HTTP request header for non-transparent proxies. It is usually sent in HTTP requests.

The Problem

Since X-Forwarded-For is just an HTTP header, it can very easily be spoofed with browser addons.

This means that when developing an application, X-Forwarded-For should not be taken as ‘proof’ of a user’s IP address in any circumstance, and should not be trusted.

Example of Inappopriate Use

guerrillamail.com was using X-Forwarded-For by setting a sent email’s “X-Originating-IP” as the X-Forwarded-For. This allowed me to make an email appear as if it was coming from any IP address I wanted.

guerrilla mail screenshot

This could have been used to frame other people for crimes such as bomb threats, in fact if the Harvard student that used GM to send a bomb threat would have done that, someone else could have been falsely accused.

I reported this vulnerability almost 2 months ago, and it was quickly fixed.

Written by anonymous