Hey anyone got ideas on how to automatically detect transparent web
proxies?
Effing the ineffable since 1997. | http://www.subspacefield.org/~travis/
My emails do not usually have attachments; it's a digital signature
that your mail program doesn't understand.
If you are a spammer, please email john@subspacefield.org to get blacklisted.
Hey anyone got ideas on how to automatically detect transparent web
proxies?
Depends on how they happen to be implemented, but in most cases, they
are not trying to be very stealthy, and you can just try connecting to
a host that is not listening on 80/tcp. If this succeeds, you probably
have a proxy in the way.
/mz
My usual is:
telnet 1.2.3.4 80
If you get a connection, you've got a transparent proxy (or some
inconsiderate bugger has finally put a web server on 1.2.3.4)
On 08/02/2011 03:40, travis+ml-webappsec@subspacefield.org wrote:
Hey anyone got ideas on how to automatically detect transparent web
proxies?
I'm thinking maybe a cooperating web server on the outside or one that can
accomplish HTTP response splitting could be used somehow, but I haven't
figured it out yet.
--
Pentest - When a tick in the box is not enough
Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)
Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072
Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
On Mon, Feb 7, 2011 at 7:40 PM, travis+ml-webappsec@subspacefield.org wrote:
Hey anyone got ideas on how to automatically detect transparent web
proxies?
the Netalyzer folks outline several techniques they use in this tool
in the following paper:
http://conferences.sigcomm.org/imc/2010/papers/p246.pdf
Their website is here: http://netalyzr.icsi.berkeley.edu/
Hey anyone got ideas on how to automatically detect transparent web
proxies?
I'm thinking maybe a cooperating web server on the outside or one that can
accomplish HTTP response splitting could be used somehow, but I haven't
figured it out yet.
I wrote a paper on a transparent proxy flaw that still exists in many products (http://www.kb.cert.org/vuls/id/435052)
(like squid, bluecoat by default, etc) and outlines an abuse case which can be used to detect transparent proxies.
I also have a method for detect caching proxies that I should be posting in the next week or so (I'll reply to this thread once
it is posted).
Regards,
--=20
Effing the ineffable since 1997. | http://www.subspacefield.org/~travis/
My emails do not usually have attachments; it's a digital signature
that your mail program doesn't understand.
If you are a spammer, please email john@subspacefield.org to get blackliste=
d.
--/NkBOFFp2J2Af1nK
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (OpenBSD)
iQIcBAEBAgAGBQJNULsbAAoJEGQVZZEDJt9HbRQQAIoIsabauKo9Up2LltkUdXA+
6IG9+hy3Arlu1YGqukw569e8DGvnihvJm7Yt0az3QAZbXgQcyP8/0X5dx4BGfRSn
XxE6DYvTNyi9AIW0X8cvDyby+BIlaArfBn+Nyz8Rw6Id+pVmi9bto9YC8nZNlHoU
qkli1y+nKvwW2lAmOkpZDWpgPfOxpd6uMxgs7FxAUJuzVF6BC1GYwgxnygjMsrM4
Oj+XGpq1zt5qY/RCbiBQ1jpE2/0ab4xmEoI01chq7ajfW0pxXNFbXxBjzYwfVDAN
Dj49GROeL/WCVQvwbJJSg37gLodHurtBjQfBx1hkud9PY+B8Wej7E0E3G3EDtRO1
X+DdkKTdQbcFIRTSF3A2nLdeoAWl8ARITBOgg/jZywhAKoLltwfdbt+9PGsrRfAD
LV9oWp79v+vF6AAkoY8CbrWt/ysIuLZLbQGi23ggRhRRaaUQg84w2UiBZ6OtMTzo
YowCLRUQeQXTBxfTqYw0uAn8lCF+RWFyh33auX9Xwj6yonx9XvY/MObsRfeuocNJ
pKyyPOryQDJgbxrNXH39HLA2BpvWE37uBhkmvjtgfUpPT1BtGDyHTT2pWrBwdG4X
s56FdLD70nefgEY40y30s0Ez3ZOTUaeh3DBMhobiDYCpuEOrLX9yYnv1uch+aB0h
F8Wa7OzbWu3ohtgt/Djb
=onSV
-----END PGP SIGNATURE-----
--/NkBOFFp2J2Af1nK--
--===============5149206312402474788==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--===============5149206312402474788==--
My usual is:
telnet 1.2.3.4 80
If you get a connection, you've got a transparent proxy (or some
inconsiderate bugger has finally put a web server on 1.2.3.4)
Some ISPS respond with placeholder pages for non existent domains, and they accomplish this
by responding to DNS requests to point to their web server IP. In this use case simply telnetting
will not prove reliable. Network solutions did this years ago and stopped, however there are likely some
isps doing the same thing somewhere.
Just an edge case to be aware of.
Regards,
On 08/02/2011 03:40, travis+ml-webappsec@subspacefield.org wrote:
Hey anyone got ideas on how to automatically detect transparent web
proxies?
I'm thinking maybe a cooperating web server on the outside or one that can
accomplish HTTP response splitting could be used somehow, but I haven't
figured it out yet.
--
Pentest - When a tick in the box is not enough
Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)
Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072
Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
I also have a method for detect caching proxies that I should be posting in the next week or so (I'll reply to this thread once
it is posted).
Finished up lunch early so decided to just post it.
Easy Method For Detecting Caching Proxies
http://www.cgisecurity.com/2011/02/easy-method-for-detecting-caching-proxies.html
Crude but effective.
Regards,
Regards,
--=20
Effing the ineffable since 1997. | http://www.subspacefield.org/~travis/
My emails do not usually have attachments; it's a digital signature
that your mail program doesn't understand.
If you are a spammer, please email john@subspacefield.org to get blackliste=
d.
--/NkBOFFp2J2Af1nK
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (OpenBSD)
iQIcBAEBAgAGBQJNULsbAAoJEGQVZZEDJt9HbRQQAIoIsabauKo9Up2LltkUdXA+
6IG9+hy3Arlu1YGqukw569e8DGvnihvJm7Yt0az3QAZbXgQcyP8/0X5dx4BGfRSn
XxE6DYvTNyi9AIW0X8cvDyby+BIlaArfBn+Nyz8Rw6Id+pVmi9bto9YC8nZNlHoU
qkli1y+nKvwW2lAmOkpZDWpgPfOxpd6uMxgs7FxAUJuzVF6BC1GYwgxnygjMsrM4
Oj+XGpq1zt5qY/RCbiBQ1jpE2/0ab4xmEoI01chq7ajfW0pxXNFbXxBjzYwfVDAN
Dj49GROeL/WCVQvwbJJSg37gLodHurtBjQfBx1hkud9PY+B8Wej7E0E3G3EDtRO1
X+DdkKTdQbcFIRTSF3A2nLdeoAWl8ARITBOgg/jZywhAKoLltwfdbt+9PGsrRfAD
LV9oWp79v+vF6AAkoY8CbrWt/ysIuLZLbQGi23ggRhRRaaUQg84w2UiBZ6OtMTzo
YowCLRUQeQXTBxfTqYw0uAn8lCF+RWFyh33auX9Xwj6yonx9XvY/MObsRfeuocNJ
pKyyPOryQDJgbxrNXH39HLA2BpvWE37uBhkmvjtgfUpPT1BtGDyHTT2pWrBwdG4X
s56FdLD70nefgEY40y30s0Ez3ZOTUaeh3DBMhobiDYCpuEOrLX9yYnv1uch+aB0h
F8Wa7OzbWu3ohtgt/Djb
=onSV
-----END PGP SIGNATURE-----
--/NkBOFFp2J2Af1nK--
--===============5149206312402474788==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--===============5149206312402474788==--
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
On Tue, Feb 08, 2011 at 01:26:13PM -0500, robert@webappsec.org wrote:
My usual is:
telnet 1.2.3.4 80
If you get a connection, you've got a transparent proxy (or some
inconsiderate bugger has finally put a web server on 1.2.3.4)
Some ISPS respond with placeholder pages for non existent domains, and they accomplish this
by responding to DNS requests to point to their web server IP. In this use case simply telnetting
will not prove reliable. Network solutions did this years ago and stopped, however there are likely some
isps doing the same thing somewhere.
Very true if 1.2.3.4 were a domain name ;-)
I personally tend to run my own DNS infrastructure and stopped relying
on whatever is provided when providers started lying like this.
Effing the ineffable since 1997. | http://www.subspacefield.org/~travis/
My emails do not usually have attachments; it's a digital signature
that your mail program doesn't understand.
If you are a spammer, please email john@subspacefield.org to get blacklisted.