1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.
  2. Better Analytics for WordPress Get It Free

Getting XSS attacks via Client_IP and Forwarded_for - How?

Discussion in 'Security' started by misohoni, Dec 11, 2011.

  1. #1
    Hi guys, Quick question here as my site can be hacked via xss through this x_forwarded_for and client_ip below. How can this be done?

    function getUsersIP()
    {
    if (isset($_SERVER))
    {
    if (isset($_SERVER["HTTP_X_FORWARDED_FOR"]))
    return $_SERVER["HTTP_X_FORWARDED_FOR"];

    if (isset($_SERVER["HTTP_CLIENT_IP"]))
    return $_SERVER["HTTP_CLIENT_IP"];

    return $_SERVER["REMOTE_ADDR"];
    }

    if (getenv('HTTP_X_FORWARDED_FOR'))
    return getenv('HTTP_X_FORWARDED_FOR');

    if (getenv('HTTP_CLIENT_IP'))
    return getenv('HTTP_CLIENT_IP');

    return getenv('REMOTE_ADDR');
    }
     
    misohoni, Dec 11, 2011 IP
  2. evuln.com

    evuln.com Greenhorn

    Messages:
    18
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    21
    #2
    X-Forwarded-For and Client-IP are parameters of HTTP query. All these parameters may be fake.

    Example of HTTP query:

    GET / HTTP/1.0
    Host: somesite.com
    Referer: httx://anylink.com/
    Cookie: var1=val1&var2=val2
    User-Agent: Mozilla/5.0 (compatible; eVuln bot/1.0)
    X-Forwarded-For: 123.123.123.123

    Values of Referer, Cookie, User-Agent, X-Forwarded-For (and other) may be replaced by arbitrary STRING including xss and sql-injections.

    You can generate and send such queries using one of my tools from my site (tool name "web security testing").

    Regards.
     
    evuln.com, Dec 30, 2011 IP
  3. amigoserv.com

    amigoserv.com Peon

    Messages:
    35
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    if you have proper modsec rules , then you can protect your self and forget any XSS attacks
     
    amigoserv.com, Jan 2, 2012 IP