Reputation: 31
IP Address - HTTP Spoofing?
I have two questions:
In PHP, when a programmer uses the "REMOTE_ADDR" variable to get the IP address of the web client, that IP address is taken from a field in the HTTP header? Or from where?
If the IP address of the client is taken from the HTTP headers, can a web client "spoof" or "change" the HTTP headers to hide his real IP address?
Upvotes: 2
Views: 7655
Answers (3)
Reputation: 6606
$_SERVER["REMOTE_ADDR"] : As said is taking the IP from the IP socket in the TCP connection... The way to spoof your real IP is easy using a remote server for example: 'TOR network'.
Example: If I want to send a request to the site server (but I need to spoof my IP) I use:
<?php
$ip = '127.0.0.1';
$port = '9051';
$auth = 'PASSWORD';
$command = 'signal NEWNYM';
$fp = fsockopen($ip,$port,$error_number,$err_string,10);
if(!$fp) { echo "ERROR: $error_number : $err_string";
return false;
} else {
fwrite($fp,"AUTHENTICATE \"".$auth."\"\n");
$received = fread($fp,512);
fwrite($fp,$command."\n");
$received = fread($fp,512);
}
fclose($fp);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://whatismyip.org"); //ipimg.php
curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:9050");
curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_VERBOSE, 0);
$response = curl_exec($ch);
curl_close($ch);
echo $response;
?>
This code demonstrate how I'm spoofing my IP using a TOR service that is using SOCKS5 / SOCKS4 to send requests to another server without using my real IP. I'm testing it with whatismyip.org to see the IP change.
Have fun.
Upvotes: 4
Reputation: 6049
1) $_SERVER["REMOTE_ADDR"] comes straight from the TCP connection.
2) $_SERVER["REMOTE_ADDR"] can only be spoofed using a man in the middle attack on a non-SSL TCP connection (the SSL handshake has some protections against IP spoofing).
2) $_SERVER variables which come from HTTP headers are prefixed with HTTP_ and yes, if they contain IP addresses, they can be spoofed trivially by the caller. You should never trust $_SERVER["HTTP_*"] variables which contain IP addresses.
Upvotes: 0
Reputation: 100170
REMOTE_ADDR is taken from the TCP/IP connection and it's very hard to spoof.
It could be inaccurate though, if your server is behind a reverse proxy. In that case you'd have to read X-Forwarded-For header, which can be spoofed easily if your proxy doesn't always override it.
Upvotes: 5
Related Questions
- IP address spoofing/changing for testing on local machine
- PHP session spoofing/hijacking
- Preventing cURL Referrer spoofing
- How do I use cURL & PHP to spoof the referrer?
- Session spoofing (PHP)
- Preventing IP spoofing
- bypass spoof redirection
- Is there a way to spoof ip address when fetching content from a page through PHP
- php: spoofing referrer?
- How to prevent HTTP Spoofing?