yanc0
commented
7 years ago Yeah its an excellent idea !
Closed TheHackerDev closed 7 years ago
yanc0
commented
7 years ago Yeah its an excellent idea !
TheHackerDev
commented
7 years ago Okay, I'll put together a fix now and submit the PR.
Aaron (insp3ctre)
TheHackerDev
commented
7 years ago So, as the code stands now, I don't have access to the IP in the CheckHTTP() function. However, I do have it in the caller, which is the handlerCheck() function. The best way I can think of to solve this would be to provide the IP (or even the request pointer itself) into the CheckHTTP() function as a new parameter, so I can add the appropriate header using the source IP. Are you okay with adding a new parameter to the CheckHTTP() function?
Cheers, Aaron (insp3ctre)
yanc0
commented
7 years ago Of course ! Maybe you can pass requester *http.Request or something like that instead of just his IP address.
TheHackerDev
commented
7 years ago Ya, that's what I was thinking. It would make it a little easier to add more functionality there later on.
Cheers, Aaron (insp3ctre)
Attackers commonly use proxy services (which is essentially what BeePing is) to anonymize their attack traffic. In the case of BeePing, an attacker could enumerate internet-facing web hosts or launch a DoS attack via a BeePing host, and their originating IP would not be disclosed to the target system. The "Forwarded" header has been standardized for use in these very instances, and would allow the target system to identify the true source of any attacks and respond accordingly.
I could put together a pull request to fix this issue if you'd like. Basically, I would be adding the appropriate header into each outbound request (somewhere around here. The header would look something like this:
Forwarded: For=<IP>.Cheers, Aaron (insp3ctre)