HTTP

Headers

HTTP method override

The headers X-HTTP-Method, X-HTTP-Method-Override or X-Method-Override are used to override the real HTTP method on request. The reverse proxy may check the real method and passes the request to the application which uses the header value as method.

GET / HTTP/1.1
Host: ...
X-HTTP-Method: TRACE
X-HTTP-Method-Override: TRACE
X-Method-Override: TRACE
...

HTTP path override

The headers X-Original-URL or X-Rewrite-URL may be supported by applications in order to override the requested path in the request. The reverse proxy may check the real path and passes the request to the application which uses the header value as a path.

GET / HTTP/1.1
Host: ...
X-Original-URL: /admin
X-Rewrite-URL: /admin
...

Bypass user IP restriction

The following headers can be used to override the IP address of the user to bypass some restrictions based on the user IP.

X-Forwarded-For
X-Forward-For
X-Real-IP (nginx)
X-Remote-IP
X-Originating-IP
X-Remote-Addr
X-Client-IP
CF-Connecting-IP (Cloudflare)
True-Client-IP (Akamai, Cloudflare)
Fastly-Client-IP (Fastly)
X-Azure-ClientIP (Azure)
X-Azure-SocketIP (Azure)

Also, keep in mind a web server may handle headers as case sensitive, so you can send multiple variants of the same header with spaces and different cases:

x-real-ip
 x-real-ip
X-rEal-Ip

You may need to make this test multiple times.

Sources:

• The perils of the “real” client IP
• Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond
• LiveOverflow - Finding 0day in Apache APISIX During CTF (CVE-2022-24112)
• apache/apisix fix real-ip header bypass

Max forward

The Max-Forwards header provides a mechanism to limit the number of times that the request is forwarded by proxies. This can be useful when the client is attempting to trace a request that appears to be failing or looping mid-chain (cf section-5.1.2).

GET / HTTP/1.1
Host: ...
Max-Forwards: 2
...

Cache

Cache-Key Normalization