Bypassing AccessControl policy via True-Client-IP header

Severity
Critical
Applies to
AccessControl
Links
CWE-290

Why This Issue Is Important

In an Apigee proxy, the AccessControl policy is often used to restrict access based on the client's IP address. However, if the policy does not set IgnoreTrueClientIPHeader to true, it will evaluate the True-Client-IP header from incoming requests to determine the source IP address. This creates a security vulnerability because attackers can manipulate the True-Client-IP header to spoof their IP address, potentially bypassing the access restrictions imposed by the policy.

To ensure the integrity of the access control mechanisms, it's crucial to disregard the True-Client-IP header and rely on more trusted methods for determining the client's IP address, such as using the actual IP from the connection metadata.

How This Issue Is Detected

CodeSent detects this issue by analyzing the AccessControl policy within the proxy to check whether the IgnoreTrueClientIPHeader setting is configured correctly.

How to Fix the Issue

To fix this issue, you should set the IgnoreTrueClientIPHeader to true in your AccessControl policy configuration.

<AccessControl name="RestrictAccess">
    <IgnoreTrueClientIPHeader>true</IgnoreTrueClientIPHeader>
    <!-- Other configurations -->
</AccessControl>