Code which relies on an IP address or domain name for authentication can be exploited by an attacker who spoofs their address.
IP address verification can be a useful part of an authentication scheme, but it should not be the single factor required for authentication. Make sure that other authentication methods are also in place.
In this example (taken from
CWE-290: Authentication Bypass by Spoofing),
the client is authenticated by checking that its IP address is
127.0.0.1. An attacker might be able to
bypass this authentication by spoofing their IP address.
- Common Weakness Enumeration: CWE-290.