Working Around IP Filters on Caching Servers and CDNs

Nobody builds from scratch anymore, at least nobody who wishes to stay relevant in today’s lightning fast market.  Commercial applications on the web are omnipresent and even for those masochists who do want to build and maintain their own stuff they typically still leverage a common framework like Symfony or others.  Take this simple blog you’re reading for example, everyone knows that /wp-admin will land you on the administrative login page.   Obviously step 1 in protecting a property like that is obfuscation but still you need to do something more.

Enter IP Filters; if the target property was simply sitting on a couple of webservers in some local server room it may just have a .htaccess file with a solid lock on it however in today’s world anything worth looking closely at is probably leveraging some form of CDN / cloud cache.  The problem for network admins and security teams is that now you have requests for admin pages coming from all sorts of random IPs even if they are sitting right next to you.  So they simply insert a custom HTTP_X_FORWARDED_FOR=[IP Received with original http request] and/or an HTTP_TRUE_CLIENT_IP=[ IP Received with original http request]

Burp Suite Proxy Request Header Modification

Burp Suite Proxy Request Header Modification

The solution to Working Around IP Filters on Caching Servers and CDNs is to modify the request header and inject your own HTTP_TRUE_CLIENT_IP and HTTP_X_FORWARDED_FOR with the desired value.  CDNs and other caching servers are so extremely paranoid about messing up their clients applications or causing unintended side-affects that they will not override anything the user sends them, they simply forward that onto the origin web servers.  Keep that little tidbit in mind when working with CDNs, they violate security rule #1, “never trust the client”.

File this one under “I’m having trouble connecting to the VPN but need to make changes anyway”.

No comments yet. Be the first!

Leave a Reply

Get in touch

Powered by WordPress. Designed by WooThemes