A 10-year experience software engineer, and also have the hacker spirit. Found vulnerabilities on Slack, Google, Facebook.
In this session, I'll explain the meaning and purpose of the different X-Forwarded-XXX headers. Next, I'll show how the attackers can bypass the IP Ban by the application via the wrong setting of X-Forwarded-For, or even ban other victim's IP. Last, I'll demo the blind SSRF vulnerabilities I found in Slack, which is due to the misconfiguration of the X-Forwarded-Host setting. It should make everyone knows more about the X-Forwarded-XXX headers.