Okay, whew, I finally got around to building out some demos of some of the things I’ve been talking about and thinking about. I’m not as crazy busy as Jeremiah but I am speaking at the APWG conference, an invite only Malware conference, a local Rotary meeting, the NJ OWASP conference, the SD ISSA conference and the big OWASP/WASC conference in San Jose. So yah, I’m swamped. Don’t expect much posting for a while. But in the mean-time here are two interesting proxy tidbits.
The next demo is a tiny slice of HTML that simply tries to detect if you are using a HTTP proxy (as an example an Apache proxy using mod_proxy). It works by forceful browsing and then attempting to use the CSS history hack (without JS) to detect if you were able to surf there. By sending the browser to a place that doesn’t exist (http://test/) and creating an error using the %-- trick, I can detect that you were able to visit somewhere that normally can’t exist. Fun!
As a last point, id pointed out to me that we could easily import fierce’s hosts file and quickly enumerate all the possibilities (and probably more) with the JS CSS history hack and possibly get lots of internal address space of anyone who happened to surf intranet sites prior to visiting the hacker’s site. It’s less reliable than port scanning, obviously, but it’s also way less noisy.
That is all.