This might be one of those "huh, why?" questions, but I figured it would be worth the try.
How would one, from a server-side application, use the clients IP address as the applications IP address to another website? The basic idea is that any work the server side application does, is seen as the client itself doing the work, and not the servers static IP.
I am not sure if changing HTTP headers would work, but I could be wrong. Is there any documentation out there on this?
Thanks,
Kyle
Utterly, utterly impossible. You won't even be able to open a TCP connection because the other website's server will try to handshake with the client, and fail.
An IP address isn't just any old ID, it's the actually address that servers will send any response to. Spoofing it basically only makes sense if you can fit your request into a single IP packet (which rules out TCP and thus HTTP) and are not interested in the response. Even then it can fail because your ISP's routers may have anti-spoofing rules that drop packets with "outside" IP addresses originating from "inside" networks.
Why on earth would a legitimate application want to spoof its IP address?
Changing HTTP headers might cut it, but most likely it won't. Depends on how naive the other server is.
It sounds like you're trying to do something the wrong way, can you give a bit more information as to what exactly the use-case is?
If there's no processing to be done in between, you can do port forwarding on your server's IP firewall, so the client connects to your server but ends up talking to the other server.
If there's more involvement of your server, then the correct thing to do would be to pass the client's IP to the other server as part of the URL (if it's a web app) or elsewhere in the data (if not) so the receiving server can know and correctly log the process without any need for fakery. Of course this would also call for a change in the other app.
Again assuming we're talking about HTTP, another idea that came to my mind would be to redirect your client to the other server. As long as all necessary data is in the URI, you could advise the client's browser to connect to the other server with a URI of your own creation that could carry whatever extra value your server's processing adds to the request.
Decades ago, the designer of internet asked, "how can we prevent Kyle Rozendo from doing such a devious thing?"
If the client is cooperating, you can install some software on client machine, and do the work from there. For example, a signed java applet on your page. [kidding]If the client is not cooperating, install some trojan virus[/kidding]
Related
I am attempting to connect to URLs in Java to see if they are valid and I am wondering if I need to connect to HTTPS(port 443?) or if connecting to just HTTP(port 80) will be enough.
Does connecting to HTTP for an HTTPS website work? Is there anything with firewalls I should watch out for that wouldn't allow me to do this?
Thanks.
If you want to check that URLs are "valid" I think you want to know if they respond with a 200 status code to a GET request.
You'll need to check http and https separately if you want to know if they both work. They're two different protocols, and severs handle them differently. Some servers mirror the same content over both protocols, but many of them redirect the HTTP -> HTTPS etc.
Also not every server supports SSL connections, therefore HTTPS might not be available.
Since you rephrased your question I'll update my answer accoring to that.
To stay with your example:
Checking for URLS on port 80 is totally independent from checking urls on port 443. Maybe port 80 leads to the same content as port 443. Maybe port 80 leads to the end-user content, while port 443 leads to the admin-login.
Maybe apache operates on port 80 while nginx operates on port 443.
So to get the all of the content, you need to scan both ports. Additionally be prepared to find sometimes two different types of content, that don't have anything to do with each other. Admittedly this will happen rarely but it can happen.
Regarding firewalls:
If a web-service is intended to be public, firewalls will happily allow you to connect to the service. If a web-service is intended to be private and you can connect to it nonetheless, the firewall admin made a mistake :)
HTH
I have a fixed IP connection.
I am working on a project which will allow users to connect with my computer using a TCP/IP connection.
I am currently setting up the server on my machine (192.168.1.2) with port 69795.
My question is, if I forward all the requests made for the port to my machine, will the users be able to contact with the server?
I am sorry if my question is not clear.
It depends, but generally the answer is yes.
The things that might make the answer change from yes to no that you can influence:
Your server doesn't have a program ready to accept the connection on the correct port on 192.168.1.2
Your server has a firewall that discards the packets (parts of the connection) on the desired port on 192.168.1.2
The router is not configured to allow packets from the public networks to route to your server
The server doesn't know how to send the reply packets back to the router.
The server's program that responds is misconfigured or misbehaving.
There are also elements that you cannot control (but they thankfully are not often problems)
Someone else's router is misconfigured.
Someone else's computer is running a restrictive or misconfigured firewall or proxy.
Someone else has a client that is misconfigured or malfunctioning.
I suggest if you look into the Ciso CENT certification learning materials to get the basics of networking if you care to understand how some of this stuff works; but, you can easily configure your system to work without such understanding. If your setup misbehaves, often you can even fix it without full understanding. However, a good understanding of the details help greatly when something goes wrong.
I have a web-server that is behind a router. One of the servlets on that server relies on the IP address of the user, however, i often get the IP of my router (i.e. 192.168.1.1) instead of the real IP.
How can i fix that?
It sounds like your "router" is actually acting like a reverse proxy.
It is unlikely that you will be able to solve this in Java ... or even on your server machine. It sounds like a router configuration problem. You might be better off asking for help on "superuser" or "serverfault".
One thing to bear in mind is that identifying clients by IP address is always a bit dodgy. Even once you've sorted out the current problem, the real client IP address may not be available for various reasons:
The client's IP may be NATed.
The client may be talking to your webserver via a series of HTTP proxies.
The client may be spoofing its IP address.
I would suggest that access http://wwww.whatismyip.com to get you IP adddress in case you have not tried that way.You will more idea from this link.
Getting the 'external' IP address in Java
Grab your global IP from http://www.whatismyip.com/ , I think you might also need to configure port forwarding on router of user that is having servlet.
I'm developing a Spring application on my Windows 7 machine and running it on localhost:8080.
Is there any chance that if I do this in a public location like Starbucks that it is possible for my app to be visible to others?
(I'm using Windows Firewall and Microsoft Security Essentials)
Be sure that it is binding to localhost:8080 (i.e., 127.0.0.1), not all interfaces (which is probably the default). Server programs usually have an option to say which IP addresses to bind. For example, in Apache, you can provide an IP address to the Listen directive in addition to a port number. If you only bind to 127.0.0.1, the port will not be open for people scanning your external IP address.
Short answer: No.
Long answer: Someone might access your app like this:
If you visit a malicious website (if anyone at Starbucks is poisoning the DNS cache or spoofing DNS responses then you may visit a malicious website at www.google.com not knowing about it) then the attacker may send you to his domain with a DNS server (which may in fact be on his laptop) replying to the same query with very short TTL once with his IP, then with 127.0.0.1, then his IP again, etc. That way when you are sent to (http://www.example.com:8080) it is resolved as the attacker's IP and you get the website which starts an AJAX request to the same domain and the same port (so the same origin policy is satisfied in every browser) but thanks to the short TTL you don't have the domain entry in your cache any more, so you ask again and this time you get the answer 127.0.0.1 which incidentally is your own loopback interface which you assume to be invisible from the outside - and it is in fact invisible from the outside but perfectly visible from your browser. Your browser will happily connect to your app at 127.0.0.1:8080 and proxy the request to the attacker with another AJAX connection or any other side channel. VoilĂ , your app is now connected to the world!
Things like this happen in the wild so be careful. Sometimes people even access admin interfaces in routers behind NAT and firewalls that way. Quite frankly I'm pretty scared by all of the responses telling you that it is impossible to access anything running on localhost. Be careful what you do.
Is there any chance that if I do this in a public location like Starbucks that it is possible for my app to be visible to others?
Of course! People can look over your shoulder.
what Jeremiah said. use netstat -an to check what addresses it bound to.
and never trust Windows firewall, or any other software to which you don't have the source.
If the port is open it can be. If you program it to only accept connections from localhost while developing then even if they can see it, they wont be able to connect to it.
What I mean is like servers on video games. You can run an application and it will set up a server on your computer with an IP and a port.
For example, how would you make an application where one host application sets up a thing where it has an IP and a port, and another computer that has access to the internet as well can type in the IP and port and it would be able to communicate with the host? I mean simple communication, like sending a boolean or String.
And would there be any security problems that would be needed to fix?
I guess I grasp the concept of your question...
You want two computers to connect via internet right? If that is the case, then you will have to use a thing called "sockets" that do connections between computers. About the server thing, well, for starters the client must always know what IP the server as (direct IP or by a DNS), and then you can connect your client to your server. There is a tutorial for sockets at the java pages: http://download.oracle.com/javase/tutorial/networking/sockets . About security issues, well, you must make sure that your server can handle anything that comes from the client (i really mean everything), i mean, accepting every type of data that is supposed to receive and deny everything that is not (trash per say). If you have that in mind then there is no problem (and of course, the server must have a firewall also to control the sockets, but that's not up to you).
Here is an example of how to use sockets to send a string from a server to a client.
http://www.java2s.com/Code/Java/Network-Protocol/StringbasedcommunicationbetweenSocket.htm
The site has about 20 examples of how to do what you are trying to do. In general I find this site to be the best JAVA resource that I know.
In general, the thing you probably want is a Socket. Sockets allow you to send bytes to an endpoint via TCP or UDP. This is very low-level, though, and are somewhat tricky because you have to design your own application protocol. You may want to use something that offers more abstraction.
Java sockets expose a stream interface so you could just encode integers as strings, for instance, and send them line by line, or you could do something fancier and more efficient like using a DataOutputStream to wrap it.
Handling the following issues can improve security.
If you have router ,set different ports for routing.
Example: If you are running server say on port 6001, map a virtual port say 9001 , which would be exposed to public.
DDos
IP Restriction - Not every user can access your machine !
Enabling router firewall does handle most of the issues.