Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/vavkamil/XFFenum

X-Forwarded-For [403 forbidden] enumeration
https://github.com/vavkamil/XFFenum

Last synced: 5 days ago
JSON representation

X-Forwarded-For [403 forbidden] enumeration

Host: GitHub
URL: https://github.com/vavkamil/XFFenum
Owner: vavkamil
Created: 2019-07-25T17:48:20.000Z (over 5 years ago)
Default Branch: master
Last Pushed: 2024-05-03T19:47:14.000Z (6 months ago)
Last Synced: 2024-08-01T10:17:24.180Z (3 months ago)
Language: Python
Homepage:
Size: 5.86 KB
Stars: 87
Watchers: 3
Forks: 27
Open Issues: 2
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml

Awesome Lists containing this project

awesome-bugbounty-tools - XFFenum - X-Forwarded-For [403 forbidden] enumeration (Miscellaneous / Uncategorized)

README

        # XFFenum

A simple tool to bypass 403 forbidden end-points behind load balancers (Cloudflare) based on X-Forwarded-For header

Based on the [enumXFF](https://github.com/infosec-au/enumXFF) by @infosec_au

### Example

```

vavkamil@localhost:~/XFFenum$ python3 xffenum.py -u https://xss.vavkamil.cz/xff -i 192.168.0.0/16

 __  _______ _____                          

 \ \/ /  ___|  ___|__ _ __  _   _ _ __ ___  

  \  /| |_  | |_ / _ \ '_ \| | | | '_ ` _ \ 

  /  \|  _| |  _|  __/ | | | |_| | | | | | |

 /_/\_\_|   |_|  \___|_| |_|\__,_|_| |_| |_|

 X-Forwarded-For [403 forbidden] enumeration

[i] Using URL: https://xss.vavkamil.cz/xff

[i] Using IP range: 192.168.0.0/16

[i] IP addresses in range: 65536

[i] Iterations required: 13108 

673it [00:34, 21.69it/s]

[!] Access granted with 192.168.13.37, 192.168.13.38, 192.168.13.39, 192.168.13.40, 192.168.13.41

[!] curl https://xss.vavkamil.cz/xff -H "X-Forwarded-For: 192.168.13.37, 192.168.13.38, 192.168.13.39, 192.168.13.40, 192.168.13.41"

```

#### Proof of Concept

```

vavkamil@localhost:~$ curl -i https://xss.vavkamil.cz/xff

HTTP/2 403 

date: Wed, 07 Aug 2019 20:02:41 GMT

content-type: text/html; charset=iso-8859-1

set-cookie: __cfduid=d77da0ad10e7a360cce4a28311784c12d1565208161; expires=Thu, 06-Aug-20 20:02:41 GMT; path=/; domain=.vavkamil.cz; HttpOnly; Secure

expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"

server: cloudflare

cf-ray: 502bd9832d69c2db-FRA

403 Forbidden

Forbidden

You don't have permission to access /xff

on this server.






Apache/2.4.29 (Ubuntu) Server at xss.vavkamil.cz Port 80


```

##### .htaccess

```

Order Deny,Allow

Deny from all

SetEnvIf X-Forwarded-For "192.168.13.37" AllowAccess

Allow from env=AllowAccess

```

### Usage

```

vavkamil@localhost:~/XFFenum$ python3 xffenum.py -h

 __  _______ _____                          

 \ \/ /  ___|  ___|__ _ __  _   _ _ __ ___  

  \  /| |_  | |_ / _ \ '_ \| | | | '_ ` _ \ 

  /  \|  _| |  _|  __/ | | | |_| | | | | | |

 /_/\_\_|   |_|  \___|_| |_|\__,_|_| |_| |_|

 X-Forwarded-For [403 forbidden] enumeration

usage: xffenum.py [-h] -u URL -i IP_RANGE [-t THREADS] [--no-verify-ssl]

X-Forwarded-For [403 forbidden] enumeration

optional arguments:

  -h, --help       show this help message and exit

  -u URL           Forbidden URL patch to scan

  -i IP_RANGE      Signe IP or range to use

  -t THREADS       number of threads (default: 5)

  --no-verify-ssl  Ignore any and all SSL errors.

Have a nice day :)

```

## References

https://shubs.io/enumerating-ips-in-x-forwarded-headers-to-bypass-403-restrictions/  

https://blog.ircmaxell.com/2012/11/anatomy-of-attack-how-i-hacked.html