Hey anyone got ideas on how to automatically detect transparent web proxies? I'm thinking maybe a cooperating web server on the outside or one that can accomplish HTTP response splitting could be used somehow, but I haven't figured it out yet. -- Effing the ineffable since 1997. | http://www.subspacefield.org/~travis/ My emails do not usually have attachments; it's a digital signature that your mail program doesn't understand. If you are a spammer, please email john@subspacefield.org to get blacklisted.

> Hey anyone got ideas on how to automatically detect transparent web > proxies? Depends on how they happen to be implemented, but in most cases, they are not trying to be very stealthy, and you can just try connecting to a host that is not listening on 80/tcp. If this succeeds, you probably have a proxy in the way. /mz

My usual is: telnet 1.2.3.4 80 If you get a connection, you've got a transparent proxy (or some inconsiderate bugger has finally put a web server on 1.2.3.4) On 08/02/2011 03:40, travis+ml-webappsec@subspacefield.org wrote: > Hey anyone got ideas on how to automatically detect transparent web > proxies? > > I'm thinking maybe a cooperating web server on the outside or one that can > accomplish HTTP response splitting could be used somehow, but I haven't > figured it out yet. -- Pentest - When a tick in the box is not enough Paul Johnston - IT Security Consultant / Tiger SST Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982) Office: +44 (0) 161 233 0100 Mobile: +44 (0) 7817 219 072 Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy Registered Number: 4217114 England & Wales Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK

On Mon, Feb 7, 2011 at 7:40 PM, <travis+ml-webappsec@subspacefield.org> wrote: > Hey anyone got ideas on how to automatically detect transparent web > proxies? the Netalyzer folks outline several techniques they use in this tool in the following paper: http://conferences.sigcomm.org/imc/2010/papers/p246.pdf Their website is here: http://netalyzr.icsi.berkeley.edu/ - Andy

> Hey anyone got ideas on how to automatically detect transparent web > proxies? > > I'm thinking maybe a cooperating web server on the outside or one that can > accomplish HTTP response splitting could be used somehow, but I haven't > figured it out yet. I wrote a paper on a transparent proxy flaw that still exists in many products (http://www.kb.cert.org/vuls/id/435052) (like squid, bluecoat by default, etc) and outlines an abuse case which can be used to detect transparent proxies. Paper + Slides http://www.thesecuritypractice.com/the_security_practice/2010/03/abusing-transparent-proxies-with-flash-presentation-available-paper-update.html I also have a method for detect caching proxies that I should be posting in the next week or so (I'll reply to this thread once it is posted). Regards, - Robert Auger WASC Co Founder/Moderator of The Web Security Mailing List http://www.webappsec.org/ http://www.cgisecurity.com/ http://www.qasec.com/ > --=20 > Effing the ineffable since 1997. | http://www.subspacefield.org/~travis/ > My emails do not usually have attachments; it's a digital signature > that your mail program doesn't understand. > If you are a spammer, please email john@subspacefield.org to get blackliste= > d. > > --/NkBOFFp2J2Af1nK > Content-Type: application/pgp-signature > Content-Disposition: inline > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (OpenBSD) > > iQIcBAEBAgAGBQJNULsbAAoJEGQVZZEDJt9HbRQQAIoIsabauKo9Up2LltkUdXA+ > 6IG9+hy3Arlu1YGqukw569e8DGvnihvJm7Yt0az3QAZbXgQcyP8/0X5dx4BGfRSn > XxE6DYvTNyi9AIW0X8cvDyby+BIlaArfBn+Nyz8Rw6Id+pVmi9bto9YC8nZNlHoU > qkli1y+nKvwW2lAmOkpZDWpgPfOxpd6uMxgs7FxAUJuzVF6BC1GYwgxnygjMsrM4 > Oj+XGpq1zt5qY/RCbiBQ1jpE2/0ab4xmEoI01chq7ajfW0pxXNFbXxBjzYwfVDAN > Dj49GROeL/WCVQvwbJJSg37gLodHurtBjQfBx1hkud9PY+B8Wej7E0E3G3EDtRO1 > X+DdkKTdQbcFIRTSF3A2nLdeoAWl8ARITBOgg/jZywhAKoLltwfdbt+9PGsrRfAD > LV9oWp79v+vF6AAkoY8CbrWt/ysIuLZLbQGi23ggRhRRaaUQg84w2UiBZ6OtMTzo > YowCLRUQeQXTBxfTqYw0uAn8lCF+RWFyh33auX9Xwj6yonx9XvY/MObsRfeuocNJ > pKyyPOryQDJgbxrNXH39HLA2BpvWE37uBhkmvjtgfUpPT1BtGDyHTT2pWrBwdG4X > s56FdLD70nefgEY40y30s0Ez3ZOTUaeh3DBMhobiDYCpuEOrLX9yYnv1uch+aB0h > F8Wa7OzbWu3ohtgt/Djb > =onSV > -----END PGP SIGNATURE----- > > --/NkBOFFp2J2Af1nK-- > > > --===============5149206312402474788== > Content-Type: text/plain; charset="us-ascii" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > --===============5149206312402474788==-- >

> My usual is: > > telnet 1.2.3.4 80 > > If you get a connection, you've got a transparent proxy (or some > inconsiderate bugger has finally put a web server on 1.2.3.4) Some ISPS respond with placeholder pages for non existent domains, and they accomplish this by responding to DNS requests to point to their web server IP. In this use case simply telnetting will not prove reliable. Network solutions did this years ago and stopped, however there are likely some isps doing the same thing somewhere. Just an edge case to be aware of. Regards, - Robert Auger > > > On 08/02/2011 03:40, travis+ml-webappsec@subspacefield.org wrote: > > Hey anyone got ideas on how to automatically detect transparent web > > proxies? > > > > I'm thinking maybe a cooperating web server on the outside or one that can > > accomplish HTTP response splitting could be used somehow, but I haven't > > figured it out yet. > > -- > Pentest - When a tick in the box is not enough > > Paul Johnston - IT Security Consultant / Tiger SST > Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982) > > Office: +44 (0) 161 233 0100 > Mobile: +44 (0) 7817 219 072 > > Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy > Registered Number: 4217114 England & Wales > Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >

> I also have a method for detect caching proxies that I should be posting in the next week or so (I'll reply to this thread once > it is posted). Finished up lunch early so decided to just post it. Easy Method For Detecting Caching Proxies http://www.cgisecurity.com/2011/02/easy-method-for-detecting-caching-proxies.html Crude but effective. Regards, - Robert Auger > > Regards, > - Robert Auger > WASC Co Founder/Moderator of The Web Security Mailing List > http://www.webappsec.org/ > http://www.cgisecurity.com/ > http://www.qasec.com/ > > > > --=20 > > Effing the ineffable since 1997. | http://www.subspacefield.org/~travis/ > > My emails do not usually have attachments; it's a digital signature > > that your mail program doesn't understand. > > If you are a spammer, please email john@subspacefield.org to get blackliste= > > d. > > > > --/NkBOFFp2J2Af1nK > > Content-Type: application/pgp-signature > > Content-Disposition: inline > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.10 (OpenBSD) > > > > iQIcBAEBAgAGBQJNULsbAAoJEGQVZZEDJt9HbRQQAIoIsabauKo9Up2LltkUdXA+ > > 6IG9+hy3Arlu1YGqukw569e8DGvnihvJm7Yt0az3QAZbXgQcyP8/0X5dx4BGfRSn > > XxE6DYvTNyi9AIW0X8cvDyby+BIlaArfBn+Nyz8Rw6Id+pVmi9bto9YC8nZNlHoU > > qkli1y+nKvwW2lAmOkpZDWpgPfOxpd6uMxgs7FxAUJuzVF6BC1GYwgxnygjMsrM4 > > Oj+XGpq1zt5qY/RCbiBQ1jpE2/0ab4xmEoI01chq7ajfW0pxXNFbXxBjzYwfVDAN > > Dj49GROeL/WCVQvwbJJSg37gLodHurtBjQfBx1hkud9PY+B8Wej7E0E3G3EDtRO1 > > X+DdkKTdQbcFIRTSF3A2nLdeoAWl8ARITBOgg/jZywhAKoLltwfdbt+9PGsrRfAD > > LV9oWp79v+vF6AAkoY8CbrWt/ysIuLZLbQGi23ggRhRRaaUQg84w2UiBZ6OtMTzo > > YowCLRUQeQXTBxfTqYw0uAn8lCF+RWFyh33auX9Xwj6yonx9XvY/MObsRfeuocNJ > > pKyyPOryQDJgbxrNXH39HLA2BpvWE37uBhkmvjtgfUpPT1BtGDyHTT2pWrBwdG4X > > s56FdLD70nefgEY40y30s0Ez3ZOTUaeh3DBMhobiDYCpuEOrLX9yYnv1uch+aB0h > > F8Wa7OzbWu3ohtgt/Djb > > =onSV > > -----END PGP SIGNATURE----- > > > > --/NkBOFFp2J2Af1nK-- > > > > > > --===============5149206312402474788== > > Content-Type: text/plain; charset="us-ascii" > > MIME-Version: 1.0 > > Content-Transfer-Encoding: 7bit > > Content-Disposition: inline > > > > _______________________________________________ > > The Web Security Mailing List > > > > WebSecurity RSS Feed > > http://www.webappsec.org/rss/websecurity.rss > > > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > > > WASC on Twitter > > http://twitter.com/wascupdates > > > > websecurity@lists.webappsec.org > > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > > --===============5149206312402474788==-- > > > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >

On Tue, Feb 08, 2011 at 01:26:13PM -0500, robert@webappsec.org wrote: > > My usual is: > > > > telnet 1.2.3.4 80 > > > > If you get a connection, you've got a transparent proxy (or some > > inconsiderate bugger has finally put a web server on 1.2.3.4) > > Some ISPS respond with placeholder pages for non existent domains, and they accomplish this > by responding to DNS requests to point to their web server IP. In this use case simply telnetting > will not prove reliable. Network solutions did this years ago and stopped, however there are likely some > isps doing the same thing somewhere. Very true if 1.2.3.4 were a domain name ;-) I personally tend to run my own DNS infrastructure and stopped relying on whatever is provided when providers started lying like this. Cheers, Travis -- Effing the ineffable since 1997. | http://www.subspacefield.org/~travis/ My emails do not usually have attachments; it's a digital signature that your mail program doesn't understand. If you are a spammer, please email john@subspacefield.org to get blacklisted.