Welcome to another edition. A few days ago I was playing a CTF and was faced with an IP restriction on an API. Fortunately, there was a misconfiguration and using an “X-Forwarded-For” header was able to bypass it. Here is a list I have compiled in case some of my readers want to incorporate this technique in their pentest arsenal.
| Access-Control-Allow-Origin Client-IP Forwarded Forwarded-For Forwarded-For-IP Origin X-Client-IP X-Custom-IP-Authorization X-Forwarded X-Forwarded-By X-Forwarded-For X-Forwarded-For-Original X-Forwarded-Host X-Forwarder-For X-Originating-IP X-Remote-Addr X-Remote-IP CF-Connecting-Ip X-Real-IP True-Client-IP |
Until next time! 🙂
Athanasios Kostopoulos 