X-Forwarded-For security issue

stefanprodan / WebApiThrottle

ASP.NET Web API rate limiter for IIS and Owin hosting

MIT License

1.28k stars 274 forks source link

X-Forwarded-For security issue #121

Closed mustafakarakus closed 6 years ago

mustafakarakus commented 6 years ago

First of all, thank you for this project. I am using it. but there is HUGE security issue. When I was testing my application, I by-passed throttle successfully and logged in after brute-force attack!

You are getting client ip address from X-Forwarded-For and this header can be manipulated. so I changed my IP address where in x-forward-for, for every throttle limit. Problem caused by HttpRequestExtensions.cs

be safe.

stefanprodan commented 6 years ago

The HUGE risk is when you don't configure your reverse proxy to set that header, eg nginx proxy_set_header.

You can also implement your own client IP fetch logic here https://github.com/stefanprodan/WebApiThrottle#custom-ip-address-parsing

mustafakarakus commented 6 years ago

Then you should warn people, "Configure your reverse proxy because we are reading IP from client."