Review "IP address has changed" functionality

[bcoles]

The "IP address has changed" functionality is dodgy. Worse, when allow_reverse_proxy is used, the X-Forwarded-For header is trusted implicitly without validation.

beef/core/main/handlers/hookedbrowsers.rb

Lines 93 to 102 in 943a6fd

	# @note Check for a change in zombie IP and log an event
	if config.get('beef.http.allow_reverse_proxy') == true
	if hooked_browser.ip != request.env['HTTP_X_FORWARDED_FOR']
	BeEF::Core::Logger.instance.register('Zombie', "IP address has changed from #{hooked_browser.ip} to #{request.env['HTTP_X_FORWARDED_FOR']}", hooked_browser.id.to_s)
	hooked_browser.ip = request.env['HTTP_X_FORWARDED_FOR']
	end
	elsif hooked_browser.ip != request.ip
	BeEF::Core::Logger.instance.register('Zombie', "IP address has changed from #{hooked_browser.ip} to #{request.ip}", hooked_browser.id.to_s)
	hooked_browser.ip = request.ip
	end

Here's an example someone provided, showing that the stored IP address contains two IP addresses separated by ,.

It may also result in many "IP address has changed" events in load balanced environments. Although I'm not sure that this is avoidable.

[github-actions]

This issue as been marked as stale due to inactivity and will be closed in 7 days