DEV Community

Cover image for Making a server believe you're from somewhere else
mikotian
mikotian

Posted on • Edited on

Making a server believe you're from somewhere else

#ipspoofing #testing

Recently I had to test a scenario where the laravel application detects which region a request is coming from and based on that chooses the correct payment gateway (domestic/international) to effect the payment. This was tricky for the following reasons:

  • We were testing on servers which were in a VPN enclosed environment. And the VPN gateway always shows a United States IP.
  • All gateways available to us were US based only. Using a different VPN wasn't possible as its against company policy (and also unsafe).

Now normally, when such systems are built, they are usually built on the basis of geolocation (invasive, think of your browser asking you to share your location) or on the basis of IP Ranges (non-invasive, you can find these on many websites that tell you that you are from such and such country). We were going with IP Ranges, so spoofing geolocation using chrome, playwright etc was out of the question.

The Solution:

We're using an Apache Server as our web server. One of the features of the apache web server is the modules you can load onto it that helps you do things before requests hit the hosted applications. One such module is the mod_headers, which can be used to add/modify basically any header one may need.

So we added the module, enabled it and wrote in a rule that would replace the RemoteIPHeader with whatever IP we fedinto each request in the X-Forwarded-For header.

$ sudo a2enmod mod_headers

$ sudo a2enmod headers

Restart apache2

sudo systemctl restart apache2

Add the following to virtualhost config for application site

RemoteIPHeader X-Forwarded-For

That is the configuration needed at the server side.

At the client side, we need to ensure that the X-Forwarded-For header is added/modified for each request. Since this is a web application and not an API, it needs some extra helping to do this.

  • Use a chrome extension to modify each request to add the required X-Forwarded-For
  • Use a proxy that does the above.

We used a proxy. More to the point, we used Burp Suite Community Edition to do the same.

Burp Proxy Settings

Burp has a built in browser that will use the configured proxy. Browse the application with this browser and voila! You have fooled your application that you are from Berlin when in truth you sit in Baramati!

The process in a nutshell:

Flowchart showing modification of IP via Proxy

Top comments (0)