11

I have this Google Chrome Privacy Preserving Extension that I am working on. Where I can spoof the header information e.g user agents and else.

When I spoof X-Forwarded-For IP and go to http://whatsmyuseragent.com/ I see a different IP and my physical location. Whereas if I go to http://whatismyipaddress.com/location-feedback I see my actual IP and physical location.

If I access the same site from TOR/VPNs I see entirely different location and IP. which means TOR/VPNs hide my true identity. I know that proxy receives my request and forward them on its behalf, why doesn't X-Forwarded-For IP do the same ? I mean what is the point of spoofing X-Forwarded-For IP when it just tells the originating IP despite of I have changed it many times?

Curtis Hagen
  • 111
  • 1
  • 1
  • 4
  • The problem with standards track standards, is the draft track ones are sidelined. So much so, vendors and developers started to create their own headers because of the difficulty to push for a solution, which of course results in all the X- headers. Some of which are honoured and sometimes they aren't. Also look deeper into the reason your location feedback is revealed. – munchkin Aug 04 '15 at 10:06

3 Answers3

9

X-Forwarded-For header may be used to forward client's real IP in case of source NAT. But not all application use them.

This header is often inserted by load-balancers or reverse-proxies, depending the architecture in place, when the application needs to know the real IP belonging to a client.

When this header is inserted, the application can see 2 IPs:

  • Source IP used in TCP/IP connection
  • IP set in X-Forwarded-For header

Setting this header does not hide your real IP (as it is still used in TCP/IP connection) but can trick applications using it. However as you were able to see, not all applications are using it.

With TOR and VPN, this is the IP used in TCP/IP connection which is modified by (respectively) your exit node/your VPN gateway. However, they don't (and should not) operate at application layer, and they don't (and shouldn't be able to) insert the X-Forwarded-For HTTP header, thus your real IP is hidden.

RJFalconer
  • 293
  • 1
  • 7
Jyo de Lys
  • 679
  • 3
  • 9
  • Thanks @Jyo de Lys. What I get from your answer (related to my extension) is that X-Forwarded-For is an Application Layer information and X-Real is TCP/IP. Am I right ? and can I trick proxy servers with X-Forwarded-For? E.g You would be familiar with the VPN "HideMyAss". They have a browser extension for chrome. What if I redirect all my traffic to it and all my traffic is spoofed for each web request (user agent spoofed, via spoofed, x-forwarded-for spoofed). Would "HideMyAss" still recognize me a single user or multiple users? – Curtis Hagen Aug 04 '15 at 10:37
  • also if you could answer my other question https://security.stackexchange.com/questions/95867/how-to-validate-my-chrome-security-extension – Curtis Hagen Aug 04 '15 at 10:44
  • X-Forwarded-For is a HTTP header, HTTP is a layer 7 protocol. I never heard about X-Real-IP but according to the name I think this is an HTTP header too. If you want to modify this header for privacy, you're wrong as it does not mask your real IP which is the source of the TCP stream. And I really don't know for HideMyAss as every application manage the X-Forwarded-For header differently... – Jyo de Lys Aug 04 '15 at 15:16
  • The exit IP or the real IP is called X-Real IP. So again if I am spoofing the header information other than the real IP, would it somehow preserve my privacy? – Curtis Hagen Aug 04 '15 at 18:22
4

The additional headers (usually identifiable by a deprecated convention of using X- as a prefix) are just a convention. And are editable by anyone with access to the plaintext connection between the client and server.

So the presence of a X-Forwarded-for (or "Via", or some other variants) is not a reliable indicator of the real IP. The absence of such a header is not an indicator of a direct connection. OTOH you may attach some significance to the presence of such a header in a HTTPS request.

If you are trying to rob a bank, and the bank ignores the client address in the presence of a X-Forwarded-For header then they've provided a very simple way for you to cover your trails.

It is possible, though very difficult, to spoof the "from" address which appears in TCP/IP packets. Hence can usually be trusted as an accurate end point (but the actual client may be at a different address using this device as a NAT router / proxy).

I know that [tor] proxy receives my request and forward them on its behalf, why doesn't X-Forwarded-For IP do the same ?

Firstly X-Forwarded-For is a bit of text in your request while tor is a network infrastructure and associated protocols. Secondly, the context in which the header is added is when connections are sent via a proxy which will reassemble the packet stream then may perform a number of operations on the request, which may include sending the request on to the origin host.

symcbean
  • 18,278
  • 39
  • 73
0

These headers are set by reverse proxies to let the web server behind the proxies know what the original IP address making the request was.

Changing them would not hide your IP address. A properly configured reverse proxy would simply overwrite the value.

(A reverse proxy is basically a web server between the outside world and another web server/application.)

Rob
  • 101
  • 1