I have a php file on my wamp server that simply listens to new users that enters the page and prints their IPs.
I read a lot about IP spoofing and I'd like to test that.
Would it be possible to send multiple http requests from my computer and make the php "think" that different users are entering the page?
I don't care about the response from the php file.
Unless you configure apache to pass a random REMOTE_ADDR parameter there is no easy way to do it from your computer alone. What you can try is using proxies to connect, this will offcourse require that you have a public IP or a server.
Edit: GordonM made agood point in the comment, you can use multiple VM's to simulate a set of servers with their own IP addresses.
Related
I am trying to block certain websites using a web application. So, when a I type a url suppose "http://www.google.com" it should first check whether google is blocked by my application or not. If not open the website otherwise reject the browser request to open it. I am unable to find a way to capture all HTTP request from browser so that I can process it.
I Know proxies are the most suitable option but is there any alternative solution to this. After some searching I found a library - jpcap (a network packet capture library) and I was wondering if this could help me or not?
What you are trying to create is a proxy-server.
You have to configure the browser to go through the proxy, then you can deny websites, reroute them etc.
There are many proxies already there (open source and commercial) that offer what you want.
For example: Squid http://www.squid-cache.org/
See Wikipedia description of a proxy here: https://en.wikipedia.org/wiki/Proxy_server
Many firewall products offer the service of a transparent proxy, redirecting all http/https traffic going through the firewall into a proxy server. It seems, you have a direct connection but your packages are really filtered. Aka transparent proxy.
If your assignment does not allow this context, you need to check the assignment again, if you really got the scope of filtering right.
You cannot take over the browser's ip communication from a servlet or servlet filter. Using a (servlet) filter, you can only filter requests directed to your application. One step above, using an application server valve (Tomcat uses this term, others may use a different one), you can only filter requests directed at that server. One step above (or below) your application server is the physical server and the network it is running in.
If your client does not share the same network as your server, you can't even apply transparent proxy to it. Since browsers are running on the client computer, most clients in the world do not share the same network zone as the server.
It just does not work as you expect it.
Is a way to gather hardware information to uniquely identify a certain device (not a category) that makes requests to a Java servlet ? I searched for this, but I don't think there is a method ( "user agent" header can be used for some information, but that only identifies a certain set of devices and it is not enough).
This information is not available anywhere in a HTTP request. The remote address (client IP) and the user agent (the string which the browser pretend to be) are the closest unique identifiers you can ever extract based on a HTTP request. Even then, this information is not reliable. The client can for instance use an anonymous proxy. The client can for instance have changed the browser's user agent string.
You basically need to collect this information in the client side and then send it to the server side as request parameters yourself. You're in turn however limited in the available ways to collect this information. JavaScript for example doesn't allow this due to security reasons. Your closest bet is a signed(!) Java Applet or Web Start application. This allows you to let the client download some Java code and execute it locally. But this is also not always reliable. The client can for instance hack the applet/webstart code and/or tamper the HTTP traffic between the applet and the server.
Another way is to just introduce a registration/authorization/authentication system wherein the client need to supply an unique identifier itself by a valid login. This is not only simpler, but also more robust.
I use JSP in server side and want to validate that, an user must not log in from two different IP addresses. What is the method to do this validation?
And some says that the client IP address may not be get from the server side because of some proxies involved. Then how the google and facebook are doing this? Will this be reliable in production environmennt? please explain. Thank you !
Then how are Google and Facebook doing it?
They are probably using the X-Forwarded-For header that a lot of proxy servers add to the request on the way through.
This is only reliable to the extent that the proxies are telling the truth.
Well, getting the IP address is as easy as using ServletRequest#getRemoteAddr()
But as you've noted already, there is no way to get this reliably - if the client is using a proxy, the connection will appear to originate at that IP address. I don't believe Facebook or Google can get around this either - which is why you can access US only features (for example, Google Voice in Gmail) by logging in via a proxy/ssh tunnel that has a US IP address.
If you just want to stop a user from logging in from two different IP addresses simultaneously, all you need to do is track what IP address their current session (if one exists) originates from and either
stop the second login attempt, or
expire the first session
I'm not sure what value there might be in preventing a login from different IP addresses at different times since that's very likely going to happen with users who are travelling around or moving from network to network.
How can I get client side information using either Javascript or Java Servlets?
Client side information such as client's computer name, its IP Address etc.
Thanks in advance.
You can get some information from the HTTP request headers in a servlet, such as the user-agent (so that you knows which browser the client is using (or want to let us think it is using)) and the remote-addr (the client's IP address (or the proxy's one if the client is using it)).
String userAgent = request.getHeader("user-agent"); // Browser identifier.
String remoteAddr = request.getRemoteAddr(); // IP address.
You can't access system environment variables using Javascript. That would be a security hole. There are ways using ActiveX, but that works only on a certain webbrowser developed by a team in Redmond and still then, the client would need to lower its security settings to allow it to run. That's a big no-no.
The only way to get the computer name is to run a client application which is served by a webpage and let this client application sniff it and send it to the server side. For example a Java Applet using respectively System.getProperty("COMPUTERNAME") and java.net.URL. You however need to sign it, else it will prompt a security warning as well.
Get user IP through JS
var ip = '<!--#echo var="REMOTE_ADDR"-->';
Although I'm not sure on the computer name, I presume it would have to involve ActiveX. It use to be possible via ActivexObject in IE. Unsure if its possible anymore, highly doubt it because its not secure in the slightest.
Depending on your network environment (e.g. if this is on an Intranet), you may be able to get the client name by doing reverse DNS on the client's IP address, or by creating an equivalent server service.
We have a voting mechanism that we want to restrict to only allow one vote by user.
We've tried to validate by IP address, but the problem is that when we get the user's IP address in the applicational server it shows always the apache IP address (we have two applicational servers with apache in front of them).
We are using ColdFusion variable CGI.REMOTE_ADDR to get the user IP.
Anyone knows how to fix this?
We would like to avoid the use of sessions or cookies.
Thanks in advance.
You probably want to use the X-Forward-For header header
instead of the source ip, assuming your apache instances are putting it into the request.