Article

Article title REVIEW OF DE FACTO STANDARD X-FORWARDED-FOR HTTP-HEADER AS ELEMENT CONDUCTIVE TO UNAUTHORIZED ACCESS TO WEB RESOURCES
Authors A.M. Maximov, O.V. Serpeninov, E.N. Tischenko
Section SECTION I. INFORMATION SECURITY RISKS MANAGEMENT
Month, Year 08, 2014 @en
Index UDC 004.057.4
DOI
Abstract The article contains review one of functioning aspects of modern networks – headers. Review includes short analysis of documents, which describe standards and functioning of HTTP-headers. In particular, X-Forwarded-For HTTP-header was considered. Also there was reviewed importance of the proper use of headers due to wide presence of platforms with X-Forwarded-For HTTP-header support. As a remark there was a brief overview of market part of most popular web-servers. The presence of risk in case of the X-Forwarded-For de facto standard header use was determined. Threat realization allows getting unauthorized access with elevated privileges to the target system. Beside this, case when X-forwarded-For header represents the unauthorized entry point, was also considered. Reviewed cases also include situation analysis when standard resource (like proxy, load balancers) are used and situation of several independent parts (like web application and web server) complex functioning. In conclusion, some affirmations, based on obtained result, were formulated to reduce chances of system penetration.

Download PDF

Keywords Web-server; X-Forwarded-For; HTTP-header; REMOTE_ADDR.
References 1. Standart «Forwarded HTTP Extension»: The Internet Engineering Task Force (IETF). Available at: http://tools.ietf.org/html/rfc7239.
2. Dokumentatsiya proksi-servera Squid [Documentation of the proxy server Squid]: Configuring Squid. Available at: http://wiki.squid-cache.org/squidFaq/ConfiguringSquid.
3. Dokumentatsiya proksi-servera Apache Module mod_proxy [Documentation of the proxy server Apache Module mod_proxy]: Apache Module mod_proxy. Available at: http://httpd.apache.org/docs/trunk/mod/mod_proxy.html.
4. Dokumentatsiya administratora balansira nagruzki Barracuda [Documentation administrator load balancer Barracuda]: Barracuda Load Balancer – Administrator Guide – Release 4.2. Available at: https://techlib.barracuda.com/LOAD.
5. Konfiguratsiya Cisco ACE s NAT i vstavka zagolovka klientskogo IP [The Cisco ACE configuration with NAT and insert the client IP header]: Configure ACE with Source NAT and Client IP Header Insert. Available at: http://www.cisco.com/c/en/us/support/docs/interfaces-
modules/ace-application-control-engine-module/107399-ace-sourcenat-config.html.
6. Issledovanie veb-serverov «June 2014 Web Server Survey» [Study web servers, "June 2014 Web Server Survey": The Internet Engineering Task Force (IETF). Available at: http://news.netcraft.com/archives/2014/ 06/06/june-2014-web-server-survey.html.
7. Standart «Issues with IP Address Sharing»: The Internet Engineering Task Force (IETF). Available at: http://tools.ietf.org/html/rfc6269.
8. Standart «Unique Local IPv6 Unicast Addresses»: The Internet Engineering Task Force (IETF). Available at: http://tools.ietf.org/html/rfc4193.
9. Standart «Deprecating Site Local Addresses» [Электронный ресурс]: The Internet Engineering Task Force (IETF). Available at: http://tools.ietf.org/html/rfc3879.
10. Maksimov A.M. Analiz osobennostey osushchestvleniya atak na veb-server posredstvom generatsii oshibochnykh zaprosov [Analysis of attacks on the web server by generating erroneous requests], Izvestiya YuFU. Tekhnicheskie nauki [Izvestiya SFedU. Engineering Sciences], 2013, No. 12 (149), pp. 143-148.
11. Maksimov A.M., Tishchenko E.N. Osobennosti ispol'zovaniya nositeley informatsii v zashchishchennykh informatsionnykh sistemakh [Features of the use of media in secure information systems ], Izvestiya YuFU. Tekhnicheskie nauki [Izvestiya SFedU. Engineering Sciences], 2011, No. 12 (125), pp. 238-244.

Comments are closed.