backend IP

1. HOW TO GET BACKEND IP ADDRESS
2.  
3.  
4. What Is The Host Header?
5. The Host Header is one of the mandatory headers in an HTTP 1.1 request which means it has to be part of a request or it will not go through. So what the Host Header does is telling the box which web app you want your web request diverted to so a good analogy to describe this is an apartment complex. Johnny Appleseed lives in an apartment complex at unit number 1A, Bob has the address of the apartment of Johnny Appleseed but needs the right unit number so he can send mail to the correct area else the apartment management would have a hard time locating who the letter is for so in this case the address of the apartment is the IP address of the server(Usually this is the default vhost which DNS converts into an IP address in the background which the user doesn't see) and the unit number is the domain you would type in the host header. Another important aspect of the host header is a thing known as a vhost or Virtual Host, in your web server such as apache or nginx you can list out multiple vhosts in the configuration so nginx or apache can tell the box which web application to serve to you so say in my vhosts I put <VirtualHosts>CoolKids.com RudeKids.com MeanKids.com<VirtualHosts> if I set an HTTP request to GET 9.9.9.9 Host: Coolkids.com or Rudekids.com I would be redirected to the respective web application.
6.  
7. Ok sounds cool how can I use this to bypass a reverse proxy commonly used like Cloudflare for example?
8. You can use something like https://github.com/zmap/zgrab by the zmap project, as you know zmap is similiar to massscan which allows you to scan the entire IPv4 address space, zgrab is an application layer scanner which allows you to send HTTP requests to every single IPV4 Address which is what we want, we simply set the host header to the target application for example say I wanted to find the backend IP to umggaming.com, I would set it to GET -All IP ranges to enumerate through here- Host: umggaming.com then I would check the HTTP response for certain text found in either an HTML <body> tag or a <title> tag and by doing that I would be able to get the backend IP which is an AWS Box IP since iv'e gotton umggaming's IP before.
9.  
10. Mitigations for this attack
11. Theres a new service called cloudflare warp which uses firewall IP whitelisting which means if the HTTP request isn't coming from cloudflare address space the firewall will basically tell you to take a hike, you can also roll your own IP whitelisting but for those that aren't good with web server configurations then cloudflare warp is a great paid alternative to custom roll outs but I believe it's still an invite only feature not sure.
12.  
13. Note*: These mitigations can also be bypassed if an attacker is persistent enough but it raises the bar greatly, web application security is an arms race as attackers will continue to find new bypasses and defenders will continue to patch bypasses, in this case to bypass IP Whitelisting you can use an SSRF in cloudflare to make it seem like the origin is coming from a cloudflare IP, someone discussed a PoC on medium.com awhile back if I find the article ill edit this thread and include it but basically it involved SSRF'ing cloudflare to submit requests to the targets backend IP on your behalf and this would bypass cloudflare warp but I don't believe this is easy to do, it had something to do with messing around in the cloudflare settings panel but it could be patched for all I know I do recall it seemed to be an intentional SSRF and you were just abusing cloudflare to piggyback so maybe it isn't patched but thats just one potential bypass for warp which seems like a pretty tough service to bypass to get backends.
14.  
15. I hope you guys enjoyed this thread and learned something new today.