From c850513286f9a488e6f934e3689d3f6f24e8694a Mon Sep 17 00:00:00 2001 From: Alexandru Date: Mon, 16 Sep 2024 20:12:23 +0300 Subject: [PATCH] minor correction --- content/posts/how-not-to-use-cloudflare.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/how-not-to-use-cloudflare.md b/content/posts/how-not-to-use-cloudflare.md index f32ddf1..6990058 100644 --- a/content/posts/how-not-to-use-cloudflare.md +++ b/content/posts/how-not-to-use-cloudflare.md @@ -60,7 +60,7 @@ This is the response you get if you try going to http://fzorb.xyz/. It redirects We had more "humble" motive. The website in question checked your IP address before accessing the website so it wouldn't be from a certain country to join a Discord guild in order to prevent someone from joining. I found this absurd so I came up with the attack vector, and my friend did the actual exploiting of this vulnerability. This was used to prevent geoblocking. But this could also be used in worse ways, such as impersonating admins on a forum for example. In fact, Stack Overflow in its early days determined admins by their IP address, which in this case was 127.0.0.1. This is not secure at all. ## So how does this work? -The webserver knows your IP address via a header called X-Forwarded-For. Cloudflare doesn't use that header, instead using CF-Connecting-IP. In the absence of Cloudflare, you can set CF-Connecting-IP to any value you want and the Webserver will think it is valid. You could set your ip to values like `1.1.1.1`, `1.3.3.7`, `69.69.69.69`, or even `420.420.420.420`, and the webserver can't know any better. +The webserver knows your IP address via a header called X-Forwarded-For. Cloudflare doesn't use that header, instead using CF-Connecting-IP. In the absence of Cloudflare, you can set CF-Connecting-IP to any value you want and the Webserver will think it is valid. You could set your ip to values like `1.1.1.1`, `1.3.3.7`, `69.69.69.69`, or maybe even `420.420.420.420`, and the webserver can't know any better. ## How do I mitigate it? You can mitigate it via numerous ways. Here are the 2 ways you can do that: