Cenzic 232 Patent
Paid Advertising
web application security lab

Quick Proxy Detection

32 Posts left…

Just a quicky post on how in Firefox you can detect proxies using image tags. Firefox (and possibly other browsers but I first saw it in Firefox) use [ ] to denote IPv6 (I believe that’s it’s original intention anyway) but it also works in IPv4.

Something as simple as http://[123.123.123.123]/img.jpg?unique_id embedded into a page could be used to see if the user is using a proxy, which, as far as I’ve seen - at least using Apache’s proxy, doesn’t understand that syntax and therefore won’t fetch the image. This does give false positives when using something that blocks cross domain requests, and robots that try to stay on the same domain. Anyway, this might be helpful to someone.

11 Responses to “Quick Proxy Detection”

  1. Michael Says:

    Interestingly it appears that Firefox is also happily with relative or FQDN inside brackets too, i.e. http://[ha.ckers.org]/blog/20100820/quick-proxy-detection/.

  2. RSnake Says:

    Hah… Strange. Thanks, Michael!

  3. mr.The Says:

    Wait, i don’t understand.
    If we use proxy, we can’t open something as http://[123.123.123.123]/img.jpg?unique_id ?

  4. RSnake Says:

    You could, but that wouldn’t be particularly stealthy. Images can be made hidden.

  5. mr.The Says:

    Ok. I use proxy.

    I go to http://2ip.ru and i see proxy ip.
    Then, i go to http://[2ip.ru]/ and i again see proxy ip.

    What’s wrong?

    Firefox 3.6.8.

  6. RSnake Says:

    It may be that the proxy you’re using allows it in that case. I tested this on an apache proxy.

  7. mr.The Says:

    Ok, thanks.

  8. Feross Says:

    RSnake, this is awesome! I coded up a proof-of-concept based on your post.

    Proof-of-concept: http://www.feross.org/hacks/detect-proxy/
    Blog post: http://www.feross.org/detect-proxy-usage-in-firefox/

    The one thing I wish I understood better is: why doesn’t Firefox automatically translate [xx.xx.xx.xx] -> xx.xx.xx.xx when it’s using a proxy? In other words, why doesn’t it do the automatic resolution before requesting the resource at xx.xx.xx.xx instead of [xx.xx.xx.xx] from the proxy?

  9. rht Says:

    well sir i cant get itt????
    and just wana tell u i am a newbie and can u just direct me to how to know nearly 70% of stuff s u know in simplified approach?

  10. Shreyas Zare Says:

    I just checked it in wireshark. The HTTP response to a site with and without [] is same except for the referer section. I think the proxy server must be getting an issue with [] in referer and hence not serving image. This may not be a case with all proxy servers, though I didnt check it with any specific proxy.

  11. flowcontrol Says:

    Does this also detect Socks5 proxys?