Paid Advertising
web application security lab

Proxyline Privacy Issues

I recently started playing around with Proxyline’s anonymous surfing. I didn’t start out on a mission to figure out ways around it, but when I checked out my own website, I realized the banner ads weren’t showing. From a web application security perspective it makes sense. JavaScript can work outside the confines of any server side protection to re-write URL strings.

Well, the second test I built happened to get around it. In Internet Explorer the null byte character injected anywhere in HTML is ignored. Proxyline apparently didn’t take that into account as it’s really not normal to throw null chars in the middle of HTML. Try entering this URL into Proxyline:

Adding a few lines of obfuscation to call my environmental variable page “before” and “after” in an iframe help to show that I can accurately de-anonymize any user of the proxy. Null bytes are tricky but I’m sure there are probably other ways around this as well. I don’t think there is any substitute for real proxies, but it’s an interesting service if they can get it working more securely.

4 Responses to “Proxyline Privacy Issues”

  1. Metal Hurlant Says:

    This is a clear case where whitelisting of valid input should be enforced over their current blacklisting approach.
    It’s a matter of priority:
    With a blacklist, a site says “I’m going to try to block bad stuff, but it’s really important for everything else to work”
    With a whitelist, it’s the opposite “I’m going to try to keep things working, but it’s really important for the bad stuff to get blocked.”

    For an anonymous surfing site, the later seems like the only sane approach. (They’re trying to break scripting anyway, so it seems like they’ve already made the call, they just haven’t followed it to its logical conclusion.)

  2. Luciano Says:

    I spoke with owner of this source he said that they will upgrade their script soon. Hope the problem will be fixed.

  3. yawnmoth Says:

    Here’s a phpBB modification that basically does this kind of thing:

    It works on most CGI proxies I’ve tested it on and doesn’t require javascript to be enabled (even though some CGI proxies - such as the one you linked to - do).

    It’s also able to detect people who are using more traditional proxies by using a java applet. This works because the browsers proxy settings aren’t used by Java when the Socket object is used. And how could they be? The browsers proxy settings are only guaranteed to work for the HTTP protocol (atleast if you’re using an HTTP proxy). The Socket object doesn’t have to use the HTTP protocol, however, so for that object to work, it’d have to ignore the browsers proxy settings.

  4. RSnake Says:

    Thanks for the upday Luciano… let us know if you hear any more.

    Yawnmoth, yah, I’ve played with various techniques like that… I’m always a little wary of things that claim they are truely anonymous. Are there any stats anywhere that anyone’s aware of that show penetration of Java Applets? I always thought it was fairly low (I have them turned off personally).