X-Forwarded-For HTTP header security bypass
Description
The application uses the X-Forwarded-For HTTP header to make access control decisions, allowing unauthorized access to restricted resources. By manipulating this header to contain internal or whitelisted IP addresses, an attacker can bypass IP-based authentication mechanisms that would normally return a 403 Forbidden status. This occurs because the application trusts client-supplied header values instead of verifying the actual source IP address.
Remediation
Do not use the X-Forwarded-For header for access control decisions, as it is client-controlled and can be easily spoofed. Instead, implement the following measures:
1. Use the actual source IP address from the network layer (e.g., REMOTE_ADDR in most frameworks) for all ACL checks.
2. If behind a trusted proxy or load balancer, validate that requests originate from known proxy IP addresses before trusting X-Forwarded-For values. Only extract the client IP from X-Forwarded-For when the immediate connection comes from your verified proxy infrastructure.
3. Implement proper authentication instead of relying solely on IP-based restrictions. Use strong authentication mechanisms such as API keys, OAuth tokens, or session-based authentication.
Example of secure IP validation when behind a trusted proxy:
// Only trust X-Forwarded-For from known proxy IPs
if (request.remoteAddr in trustedProxyIPs) {
clientIP = getFirstIPFromHeader(request.getHeader("X-Forwarded-For"));
} else {
clientIP = request.remoteAddr;
}
// Use clientIP for ACL checks
if (!isIPAllowed(clientIP)) {
return 403;
}