

Rabbit Hole - marcopolo
https://cryptic.io/rabbit-hole/

======
tmd83
I was thinking of missing/incorrect header when the post started talking about
setting IP Address from an optional header. As someone has already said,
'Never trust a client'. But while its very easy to say, its not so hard to
remember in practice. I find it even harder to remember when the client is
essentially some other part of your application.

------
junto
Reminds me of this hack using the x-forwarded-for header:

[http://blog.ircmaxell.com/2012/11/anatomy-of-attack-how-i-
ha...](http://blog.ircmaxell.com/2012/11/anatomy-of-attack-how-i-hacked.html)

(Anatomy of an Attack: How I Hacked StackOverflow)

and this:

[http://xkcd.com/327/](http://xkcd.com/327/)

(Exploits of a Mom)

Never trust the client....

