Cenzic 232 Patent
Paid Advertising
web application security lab

Anonymous Proxy Woes

Marco commented that the CSS history hack doesn’t work with hidemyass.com. Never having been there, I found myself clicking around on their site to find that it’s yet another CGI proxy. So after a few minutes of playing around here is the list of problems or potential problems I have with hidemyass.com and most of the the sites that are similar. Here are the top 10 biggest problems that I see (yes I had to limit myself to 10 because this list was getting out of control), in no particular order:

#1 - First thing I did was go to Youtube, and then I visited one of my own sites. It turns out that cookies set by Youtube are sent to my site on subsequent requests. So there is no cross domain boundaries for cookies. That’s a huge no-no and would easily de-obfuscate where you’ve been, not to mention giving the other site access to your account.

#2 - The site sends a referrer of the hidemyass.com website, so you can easily see that the user came from there.

#3 - The site is still vulnerable to the CSS history hack, but instead of picking one of the sub-urls, you’d just pick the main one of http://hidemyass.com/ and poof!

#4 - The proxy doesn’t re-write the JavaScript, so it’s easy to just call yourself in the JavaScript to see that they are using this service.

#5 - Since every site resides on the same CGI proxy’d domain it’s trivial to see what other domains have been logged into and more importantly, what the content is on those other pages.

#6 - What happens when the site is SSL? Does it even work or does it downgrade you into non-ssl? Either way…

#7 - Same question as above, but what about FTP, SMB and all the other protocols out there…? Either they work or they don’t. Either way, bad news.

#8 - The IP addresses aren’t diverse enough - usually the same set of a handful of IPs, and therefore can be tracked, and/or can cause flood limits on sites looking for that sort of thing.

#9 - Sites like these tend to be run by bad guys, and tend to log whatever information is sent over the wire. What a great place to man in the middle someone - right? Even if they weren’t run by bad guys, they could easily be hacked into in many cases, in which case, every user who utilizes it is potentially in danger.

#10 - Sites like this tend to muck with the HTML of the page they output, making them trivial to detect in JavaScript space, and worse yet, they often can cause major CSS collisions with other page content, or even be overwritten in such a way that the user thinks they are interacting with the CGI Proxy and doing something benign but in fact the user is performing an action that can hurt them.

So yeah, please don’t use CGI proxies, unless you really know what you’re doing. They really very rarely increase your security. Most of the time, they just decrease it, as a matter of fact. And yes, this applies to the dozen or so other sites that the same company runs and the hundreds of others you find mentioned on digg.com and the like. Avoid them, unless you simply don’t care about any of these risks.

19 Responses to “Anonymous Proxy Woes”

  1. woohoo Says:

    What about something UltraSurf? Do it suffer from the same or similar problems?

  2. RSnake Says:

    @woohoo - It’s a binary, so it won’t have exactly the same issues, probably, but I’m not too excited about downloading and running a random binary off the Internet either. ;)

  3. Steve Says:

    I love UltraSurf! Super fast.

  4. woohoo Says:

    Tis true. Unfortunately it is the only reason I am currently able to read this site ;)
    I’d try tor (which I have audited for security issues as well as people far better them I) but the speed issue is a big problem.
    I’m more concerned about bypassing censorship then I am in remaining anonymous (at this moment in time).

    Can you recommend anything better?

  5. LonerVamp Says:

    I’d probably try to treat it the same as an open wireless hotspot. Sure, you can browse through it and maintain some anonymity, but you really shouldn’t log into anything at all or go anyplace that indicates who you are or use a browser you’ve used for sure purposes. Basically, browse the web as anonymous and you should be fine. Avoiding censorship should also be ok, within reason (of a subpeona or crazy-rigid government eavesdropping).

    Then you’re hopefully only needing to worry about #10, which is true with open wireless anyway.

  6. ChosenOne Says:

    If you want *REAL* anonymity, use Tor and Torbutton (the details are explained on the website).
    Torbutton - a firefox addon- will disbale Flash, JS and similair features to decrease the probability of being decloaked :)

    If you just want to send a request originating from a foreign IP, use a proxy like hidemyass.com - but as RSnake said: you gotta know what you’re doing ;)

  7. jody Says:

    also

    #11 - the standard nph-proxy.cgi script by jmarshall contains a cross-site scripting bug

  8. woohoo Says:

    In general (I think) I know what I’m doing.
    I’m looking for people who know more than me however to confirm or deny what I think I know ;)

    I have foxyproxy set up with tor as an option - but the speed is the biggest issue when I’m not concerned with anonymity.

  9. woohoo Says:

    PS @Rsnake and LonerVamp - thanks

  10. Albino Says:

    Surely the man in the middle risk is even higher with TOR than cgi proxies, as anyone can be a TOR exit node. Although I guess that by running TOR through a https cgi proxy you could eliminate the TOR exit node eavesdropping risk. Either way it comes down to trust.

  11. Thursday Says:

    Regarding TOR, the man in the middle risk is at least as high as with a cgi proxy because anybody can become a TOR exit node. Also, I think your ISP can see everything, and they probably mark TOR traffic as suspicious.
    At least HTTPS cgi proxies stop your ISP from seeing what you’re doing… right?

  12. Jonathan Says:

    @woohoo - So you are trying to bypass censorship? Have you looked into forwarding traffic through a SSH tunnel? I believe you can forward your DNS traffic as well. The only problem is finding someone a SSH service with no bandwidth limits.

    SSH would be good for forwarding a port or two, but a VPN would be better for all the connections from your computer.

    Or if you have a friend or family in another country you could look into the Psiphon program.
    hxxp://en.wikipedia.org/wiki/Psiphon

    @Thursday - If your ISP sees all your traffic then SSL becomes vulnerable to man in the middle attacks. Running TOR through a SSL proxy would not improve any of your security. Yes the TOR end node sees all the traffic, but now your SSL proxy is the end node.

    @ChosenOne - There is no such thing as “real” anonymity on the internet; only varying degrees of obfuscation. Also I believe RSnake just pointed out that hidemyass and such services are actually very bad for security. So even using them through TOR is a bad idea…

  13. Marco Says:

    Hey Webappsec, what’s up?

    Thanks for the post and explaining new ways of using the CSS trick.

    I don’t use or suggest the use of any kind of proxy, Hidemyass.com and Kproxy.com were the first webproxies that came on my mind to test the CSS hack, there is nothing special about them.

    The only reason I commented that post was how simple it was to detect a lot of proxies, without any configuration, using CSS. There are a lot of ways to detect a proxy connection, but no one as close to this simplicity and efficiency.

    So, once again, nice job. And if you could write something about using traceroutes to detect proxies it would be a blast.

    Take care.

  14. scanner Says:

    The issue in #1 is appears to be the same one described here:
    http://www.kb.cert.org/vuls/id/261869

  15. Eric Says:

    In general, I don’t really even trust my ISP, nevermind hotspots or proxies. Highly considering a 4G/WiMax solution.

    I thought I’d share this proxy site I found, because its hilarious for many reasons:
    http://learninginvestment.com/a/

    I found this in my web logging software for someone who visited a site (though Facebook). At first I didn’t understand how this site linked to me, but then I noticed the field and go button, and at the bottom saw the credits for the proxy. In good news, if they took out the credits for the proxy, this might be very good to use in a situation where you don’t want people to know you are using a proxy (China maybe?), but I am sure people still click on the ads and there is at least 4 pop-ups when you go to a URL, mangled output, and the first time i visited it wanted me to download a random PDF (0-dayyed attack maybe, but I didn’t even both checking).

    So what is the price to pay for pseudo privacy. I feel like most people are serious about security probably use tor or something, and the people using this technology are kids at school or office workers, which means exploits and virus spread most likely. And to think, if they just trusted their users, then they would only be clicking on the most obvious of malicious content.

  16. Gabriel Ramuglia Says:

    I’m afraid that your commentary is mistaken. First of all, most of what you’ve mentioned is not standard CGI-Proxy behaviour. If hidemyass behaves in this way, it is because they have modified their script to act this way, rather than use the default cgi proxy script.

    Points 1, 2, 4, 5 and 10 are all irrelevant in a properly configured copy of cgi proxy. Point 9 is entirely erroneous, as most of these proxies are run just to make money off the advertisements. Of course somebody could log things if they had the technical skill / desire to do so, but that is true of any proxy. The vast majority of web based proxies are run to make money on ads, not spy on users.

  17. RSnake Says:

    @Gabriel - did you actually TRY their website? Please go take a look at it. It doesn’t matter if other sites are safe, their site isn’t and that’s what he was using to protect himself. And point 9 is not mistaken (at least from what I’ve seen). Perhaps you haven’t spent a lot of time looking at the social bookmarking sites, but they are absolutely littered with anonymous proxies that log data. I haven’t seen any that I believe are 100% legit on those sites. Perhaps there are entirely legit anonymous CGI sites out there, but they aren’t a majority - at least not on social bookmarking sites.

  18. RSnake Says:

    Wait, and how are 4 and 5 irrelevant? I’m confused. Are you saying in the case of #4 that you run all JavaScript and de-obfuscate it and re-write everything safely? Can I call BS now, or do you want to retract?

    In the case of #5 unless you have a messload of subdomains/domains/IP that you use for every domain uniquely, I don’t see how that’s going to work either. Granted, maybe I’m mis-understanding something there, but I kinda doubt it.

  19. RSnake Says:

    Nm, I see what you’re doing. re-writing document.write. I bet that would be trivial to get around, and btw, totally breaks websites: http://www.vtunnel.com/index.php/1000110A/80a20673dee2b76ac619903668947c9f29188d945f92ee15760

    Alas…