9

I have the following PHP code that writes accepted to a file named text.txt only if the IP is equal to 127.0.0.1 (loopback). If the IP doesn't match it writes denied.

<?php
$file = fopen('text.txt' , 'a');
if($_SERVER['REMOTE_ADDR'] === '127.0.0.1') {
$request = $_GET['output'];
if($request === '123') {
fwrite($file, "\x0D\x0A".'accepted - ' .$_SERVER['REMOTE_ADDR']);

}

}
else {  
    fwrite($file, "\x0D\x0A".'denied - ' .$_SERVER['REMOTE_ADDR']);
}
?>

Can I send the get request (www.example.com/get.php?output=123) from an external network with a spoofed IP of 127.0.0.1? If it is possible, how can I do it? If not, why?

Anders
  • 64,406
  • 24
  • 178
  • 215
  • if your router does port forwarding, maybe, but it's easier to run the malicious commands from the expected address by XSS or attacking the router. – dandavis May 29 '16 at 04:52

3 Answers3

11

Is it possible to send HTTP packet via spoofed IP?

No you can't.

HTTP is a protocol on top of TCP and doing IP spoofing with TCP is nearly impossible due to the internals of the protocol. You would not only need to send a single spoofed packet like in UDP but you would actually need to reply the packets of the peer with the matching sequence numbers without being able to watch the peers packets which contains this sequence number you need to match. And this reply must happen just to establish the connection, i.e. before even sending your HTTP payload.

Apart from that many systems will simply drop packets which do not fit the routes, i.e. a packet claiming to be from 127.0.0.1 (localhost) should never come in at the network card connected with the local network.

if($_SERVER['REMOTE_ADDR'] === '127.0.0.1') {

But given your code you might actually be more interested if the value in $_SERVER['REMOTE_ADDR'] could be spoofed. While most assume that this is the source IP address of the client it can actually be different from the real source IP of the HTTP connection and it might even be manipulable by an attacker.

In case of a reverse proxy (or load balancer) in front of the web server the real IP of the client is not known to the web server because the connection from the client actually terminates at the reverse proxy. Therefore it is not uncommon for the reverse proxy to propagate the original clients source IP by inserting a HTTP header, typically X-Forwarded-For. Some web servers are setup to put the value from this header into $_SERVER['REMOTE_ADDR'] instead of the real source IP. And in some situations this is actually exploitable by the attacker to bypass IP based access control like employed in your case.

For a specific example of this kind of bypass see Anatomy of an Attack: How I Hacked StackOverflow.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
9

It is not possible

A spoofed http packet would have to travel over a TCP connection.

TCP has a 3-way handshake that would prevent communication from a spoofed IP address from ever reaching the server's PHP code.

Before application data starts getting sent, here is what would happen:

YOU send TCP SYN with spoofed IP

SERVER responds with SYN-ACK to that IP and waits for an ACK, Data packet back from that IP.

End of conversation!

Your TCP stack would only send the SYN packet and the remote system would attempt to send an SYN-ACK packet back to the spoofed IP you sent. It would never get a reply to the SYN-ACK from that spoofed IP even if it existed and received the SYN-ACK packet because it knows it never sent the SYN packet.

mcgyver5
  • 6,807
  • 2
  • 24
  • 45
  • does this imply that I can send tons of tcp-syn packets with a spoofed ip address and that ip address will receive tons of syn-ack responses and, thus, will eventually consume all of its resources such as RAM, CPU and get frozen? So that'll be a ddos attack. – Oskar K. Jun 11 '16 at 04:34
6

Spoiler: you can't.

Smart pants: If you can fit the request in a single TCP packet, you can. Or if you control the routing to the spoofed IP. Or the machine with the IP that is spoofed.

But: you probably won't be able to do that.

The problem is: while HTTP is stateless, it uses TCP, which isn't. Especially, before any actual data is sent, a handshake is performed to establish "ground rules" for communication.

If a packet with a spoofed IP is sent, the answer from the server will be sent to that IP, not yours.

That means you cannot complete the handshake, hence send no HTTP-request.

More precisely, if you spoof a TCP SYN packet from IP a while you only get to see packets sent to IP b, you will not see the TCP ACK packet that the server sends to a. Hence, you cannot craft another spoofed packet to correctly establish a TCP connection.

For further reading, I suggest your favorite search engine and "TCP".

Tobi Nary
  • 14,302
  • 8
  • 43
  • 58