Cenzic 232 Patent
Paid Advertising
web application security lab

HTTP Proxies Bypass Firewalls

This may seem painfully obvious to some people, but I looked around and couldn’t find a reference to it, so I apologize ahead of time for anyone who already knew this. When we normally think of how attackers use proxies they are almost always just trying to hide their IP addresses. id and I have written papers on bypassing content restricting firewalls using proxies, etc… Those are all fine topics, but that’s not what this post is about. I was pouring through my logs a few weeks ago and came across a number of people attempting to see if I was running an open proxy. Obviously I’m not, and the reason someone would likely check is that it is a robot looking at large swaths of the web for open proxies.

I ran into an open proxy after that and started poking around with it. The obvious way to look for it was to type in “GET http://www.yahoo.com/ HTTP/1.0″ and see if it shows you Yahoo’s homepage. But then it occurred to me that this could be used for Intranet hacking as well. The open proxy doesn’t have to point out to the web. It can, in fact, be pointed inward, to internal addresses. Here’s a diagram of what I’m talking about:


Click to enlarge

The first scenario is what most bad guys use proxies for. They connect back out to the Internet, to hide their real IP addresses. The second scenario, however, would allow them to use that same proxy server to hack other machines on the same network, including the firewall itself. The funny part is that there are tons of machines out on the Internet who have already been compromised, and the bad guys have intentionally placed proxies on these machines for other nefarious purposes. But it can also be used for internal reconnaissance, or worse. And yes, I have found this in the wild. By quickly enumerating the most likely places within RFC1918, it’s fairly easy to spot where the majority of devices are in most networks (note that this kind of internal scanning will become more difficult with IPv6).

If there are internal machines with critical vulnerabilities on them, the proxy can be used to connect back into that network, to exploit those vulnerabilities which may give a bigger foothold or uncover other sensitive information. If you haven’t scanned your own network for open proxies, you probably should. This is yet another reason to limit what your web servers have access to within your own networks.

15 Responses to “HTTP Proxies Bypass Firewalls”

  1. Hakc2 Says:

    I dont undestand very well this type of attack.
    You attack a server, and then install a proxy for enter other time.
    It doesnt better install a backdoor for this :S?

  2. Rafal Los Says:

    So the reason this is interesting and pertinent to the “real world” is where you run into these “PCI 6.6 -protected via WAF” networks. The entry path from the Internet into most of these web farms is typically through a WAF or some sort of filtering mechanism, but once you hit an open-proxy of some sorts that can point back internally, you’re likely bypassing many of the filtering mechanisms because administrators *rarely* have a single-path into a web farm that’s filtered.

    Yes - I have experienced this in a “real-world” scenario, and this is what an attack looks like:

    1) Recon is done for open-proxies
    2) Attacker finds an open proxy somewhere on your network perimeter
    3) Attacker finds internal IP addresses (guess or otherwise) of your web farms
    4) Attacker bypasses WAF and other “filtering” technologies via an insider path into your web farms…

    So there you have it - an attack vector that further lends credibility that a WAF is only a band-aid and writing secure source-code is the key.

    ** Great job pointing this out - security & network architecture need to go hand-in-hand, before we can secure anything.

    –Cheers, Rafal.

  3. Robert Says:

    I wrote a tool a few years ago that did this exact thing. I was considering releasing it but still up in the air.

    Screenshot
    http://www.cgisecurity.com/images/intranumerator.JPG

    - Robert

  4. thrill Says:

    Basic Network Security 101.

    There’s a lot of dropouts from this class, and for various reasons:

    1) It’s too much work to do it properly.
    2) It’s too much work to educate my users.
    3) I hate changing my proxy settings on my laptop when I take it home.
    4) They’ve never heard of transparent proxies which can be blocked from the outside.

    While I will admit, it’s a fine line between security and usability, but if the inconvenience of one of my users can secure the network for every one else, tough luck for that user.

    And while my job as the IT (department) person is making sure everyone else can do their job, my job as the Security (department) person is to make sure my company’s name is not plastered all over the newspapers saying “Acme Company Loses 1million Users Personal Data”.

    –thrill

  5. ChrisP Says:

    I must be missing something. Say there’s an open proxy on your network perimeter/DMZ. There’s also a WAF that protects your www server farm. A typical WAF only permits GET/POST and sometimes HEAD methods. The CONNECT method won’t be allowed through the WAF.

    Also, WAFs don’t care about IP addresses - they compare input/output against signatures or white list patterns. How are you bypassing the WAF in this case?

  6. rob Says:

    Isn’t this how Adrian Lamo did a lot of his hacking back in the day using ProxyHunter?

  7. t Says:

    This is part of the story in “How to Own a Continent”.

    http://insecure.org/stc/
    Hacking .MIL->Open Proxy Test

  8. Robert Says:

    Rob Yes Adrian Lamo manually hacked the NY Times this way. This was my inspiration for writing the intranumerator tool actually :)

  9. EC Says:

    This is common on reverse proxy deployements. If they aren’t properly configured they could show internal server details.

  10. xs Says:

    Rob,

    The intranumerator tool looks pretty cool. Is there something else in the open source world that is doing the same thing? If not, you should open up the tool and let people use it.

    I have a very very large environment that I work in and I could find a use or two for this tool. Especially when it comes to auditing my infrastructure. :)

    What are the chances we could get a look at the source on this tool? :)

  11. schmoilito Says:

    ChrisP,

    The WAF (or similar device) can be the reverse proxy. In a situation where multiple web apps are published through a WAF on a single domain name, the WAF will route a request to the appropriate back-end server based on host address information in the URL. Now you can alter the data in the URL and reach hosts that you might not be allowed to. This is where the misconfiguration comes in to play. These devices do allow you specify a white-list of hosts, but I’ve seen many instances where folks got lazy and white-listed .*. I wrote a blog post about this here.

    I also think it is important to make the distinction between REAL proxy devices that abide by the HTTP RFC (using CONNECT, etc), and web apps/devices that will act as open reverse proxies. Both scenarios can lead to the same kinds of abuse, but can be different beasts entirely.

  12. ChrisP Says:

    @Schmoilito: thanks - I see clearer now. Something along the lines of an HTTP 1.0 request where the URI itself contains the absolute path to a host.domain different than what the Host header says. If the WAF demuxes on the content of the Host header but actually forwards based on the URI, there’s a problem indeed.

    At the same time your post made me discover your blog, which looks very interesting! Cool - thanks!

  13. slow Says:

    I’m glad Rob mentioned Lamo, I was going to say your post is about 10 years too late. Everybody that needs to know about this attack vector already knew about it :-)

  14. impact Says:

    well first off id like to say that ive been doin this for about 2 years now and even if you do “hack” straight threw he fire wall you still have other natorious risks. for example certian fire walls shouldnt be broken and if you do you might be in a world of shit and another example is if you snoop around on other open proxies you will wind up with several viruses. Trojan virus is the one people use the most. so good luck with all your hackings and what but im going to make me a sandwich so happy hackings and peace.

  15. james khurana Says:

    i would like to find a proxy so i can go on in school