Summary
I was able to bypass the IP allowlist protection on a restricted endpoint by manipulating client-supplied IP forwarding headers. This indicates that the application trusts forwarded IP headers without validating that the request actually originates from a trusted proxy.
Impact
This issue can allow an attacker to:
- Bypass IP-based access restrictions
- Access endpoints intended to be protected by network allowlisting
You can curl the api with a custom X-Forwarded-For Header with the allowed IP address from anywhere making the file accessible.
curl -H "X-Forwarded-For:10.0.0.1" http://localhost:8089/api/docs/view/<UUID>
X-Forwarded-For just replace it with the whitelisted IP
POC video
https://youtu.be/eRnTd-0vuB4
Root Cause
The IP validation logic appears to:
- Trust forwarded IP headers provided by the client
- Not restrict the use of these headers to a trusted reverse proxy or load balancer
As a result, the perceived client IP can be influenced by the requester.
Summary
I was able to bypass the IP allowlist protection on a restricted endpoint by manipulating client-supplied IP forwarding headers. This indicates that the application trusts forwarded IP headers without validating that the request actually originates from a trusted proxy.
Impact
This issue can allow an attacker to:
You can curl the api with a custom X-Forwarded-For Header with the allowed IP address from anywhere making the file accessible.
curl -H "X-Forwarded-For:10.0.0.1" http://localhost:8089/api/docs/view/<UUID>X-Forwarded-For just replace it with the whitelisted IP
POC video
https://youtu.be/eRnTd-0vuB4
Root Cause
The IP validation logic appears to:
As a result, the perceived client IP can be influenced by the requester.