Cenzic 232 Patent
Paid Advertising
web application security lab

Initiating Probes Against Servers Via Other Servers

Okay, this is convoluted but still kinda cool. I was looking through some pages on various tools out there, and happened across GRC’s probe page that is designed to detect if there are open ports and what the threats are associated with that port. It is protected from nefarious purposes by only scanning the port of the IP address you are originating from. Then I thought, wait, I can come from anywhere that I can get to request this page. The first page that came to mind? W3C’s validator.

Click here to see W3C’s validator requesting and getting the results of GRC’s probe against W3C’s port 80. Pretty esoteric, huh? Yah, I know, there’s not a whole lot of practicality here, except if I wanted to launch a port scan against a site that had something like a http get function (remote image include for instance) I could get GRC to perform the probe on my behalf. If someone were actually logging, they’d most likely see GRC as the attacker. GRC would say, “no, you are the attacker, asking us to attack you.” and W3C would have to look in their logs to find my IP (which would unlikely be associated with me if I had any clue, as an attacker). Maybe locking things down to IP based restrictions isn’t the best security measure if the only input is via a GET string. Something as simple as a post parameter would have stopped me. Odd but worth mentioning.

7 Responses to “Initiating Probes Against Servers Via Other Servers”

  1. [fazed] Says:

    the only problem is that it needs to be able
    to make requests to https servers.

  2. RSnake Says:

    In that specific example, yes, but I think there may be other similar tools out there that give some amount of information back. But yes, you’re right.

  3. ascii Says:

    This is an interesting technique that belongs the category of online services misuse (like using google translate as a proxy, etc). I wrote a draft about something correlated some time ago:

    http://www.ush.it/2006/01/29/port-scanning-with-online-services/

    Also a more recent post with code elaborating and idea of Wisec:

    http://www.ush.it/2007/08/29/scanning-dmz-hosts-with-remote-file-opening/

    Incidentally (hehe, not really) the post cites one paper of yours, Hacking Intranets Through Web Interfaces, demonstrating an other time how in the field of security things are madly connected.

    An other similar option could be port scanning tor exit nodes with online services (like: google:Nmap Online). Some misuses can be fixed very easily by the application owners but for others remediation can really be a pain if a white list approach don’t apply.

    Kudos and bye =)

  4. g4b0 Says:

    Hu! They also intercept proxies..

    try adding X-Forwarded-For: 1.2.3.4

    Host: www.grc.com
    X-Forwarded-For: 1.2.3.4
    User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
    Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Connection: keep-alive
    Cookie: temp=lfvnmq5f33rcl; perm=dmp0qerbbq03f

    And… what are that cookies? :)

  5. RSnake Says:

    @Ascii - I did something very similar for a client of ours. They allowed upload of any content in a sandbox - unfortunately their DMZ included pretty much everything you’d ever want, although my one liner looked slightly different from yours. I had to write it this way because of the HTTP timeout - obviously I would have much rather had it run for six hours and come back and see the results, but that wasn’t possible. Thus I had to write a pretty meaty client side application to iterate over it (many tens of thousands of requests, instead of just one):

    <?@fsockopen($_GET['i'],$_GET['p'],$a,$b,1)?print "open":print "closed";?>

    @g4b0 - interesting! They probably made a judgment call there that they want to scan the origin and not the proxy. Did you try RFC1918 or loopback?

  6. g4b0 Says:

    @rsnake
    I tryed both, but they always think I’m behind a proxy. I guess they look something like

    if( getenv(’HTTP_X_FORWARDED_FOR’) != ” ){
    /* there’s a proxy */
    }

  7. Shane Says:

    Check this one out:

    http://www.yougetsignal.com/openPortsTool/