黑客攻防：web区xff_referer

本道题主要考察的是对HTTP报文的伪造方法和对两个变量X-Forwarded-For和Referer的理解

The X-Forwarded-For (XFF) HTTP header field is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.也就是告诉服务器这个最原始的IP地址是谁，我们可以区跳转它

The HTTP referer (a misspelling of referrer[1]) is an optional HTTP header field that identifies the address of the webpage (i.e., the URI or IRI), which is linked to the resource being requested. By checking the referrer, the new webpage can see where the request originated.就是说当前页面从那里来，比如我们这道题的页面是从www.google.com来的，就可以进行伪造。

解题过程：

使用brupsuite抓包：添加XFF字段：

添加过去然后发送，显示：

两个都添加上去，一个都不能少：