tags:

views:

332

answers:

2
+1  Q: 

How to change the request IP in HttpWebRequest?

I'm developing a website that will connect to a credit card processing gateway webservice. For security purposes this webservice accepts requests only from IP addresses that were previously informed to them.

Since I'm developing locally, my IP changes almost every day. Is there a way for me to change the IP address of a HttpWebRequest so that I can test the Webservice calls locally?

This webservice is accessed through a https address and the methods must be sent via POST.

A: 

No, but if you managed to changes the source IP address of your requests, what you would be doing is called IP spoofing. The problem is that the source IP is used to route responses back to your machine, so since you somehow managed to change the IP address in the request packets, the response would never get back to you because that is not your IP address.

Chris Taylor  2010-05-13 18:28:35
There are some environments where it's possible to spoof the IP address that's reported to the high-level application and keep the underlying IP addressed used by network layers as the true address. This allows you to spoof the address and still get a response. I don't know if ASP.NET has this vulnerability though, but I've tested it in ColdFusion and some Java servlet hosts in the past.
Sam  2010-05-13 18:46:04
@Sam, I would be interested to hear more about this, specifically with TCP/IP traffic. Do you have any references/links?
Chris Taylor  2010-05-13 19:06:33
@Chris Taylor, here's a blog post I wrote up about it back in 2004. I don't have any other references, just to say I've done it myself. http://rewindlife.com/2004/04/20/remote_addr-and-remote_host-not-safe-for-use-in-security/
Sam  2010-05-14 00:23:35
@Sam, so on the client side you where able to forge IP packets with a spoofed source address and then get reponses back to your machine? Just to confirm we are talking about the same thing, here is the wikipedia link to to what I am refering to: http://en.wikipedia.org/wiki/Ip_spoofing
Chris Taylor  2010-05-14 05:47:14
@Chris Taylor, actually it was a lot simpler than that. I sent an HTTP request to a server and include HTTP headers for remote address. The web/app servers passed these headers along to the application instead of rewriting them with the true IP address. Again, this was six years ago with ColdFusion, JRun, and iPlanet so I have no idea if it's possible to do the same thing today. I just confirmed that it is **not possible to do it with ASP.NET/IIS** (or at least not as easily).
Sam  2010-05-14 13:41:14
A: 

You might want to check out JSONP if your data is in the JSON encoding as that is exactly for the purpose of requesting data from a webserver other than the one sending the original webpage.

snies  2010-05-13 18:30:07

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?