Cenzic 232 Patent
Paid Advertising
web application security lab
« The Chilling Effect
Detecting some forms of MITM attacks »

Quick Proxy Detection

32 Posts left…

Just a quicky post on how in Firefox you can detect proxies using image tags. Firefox (and possibly other browsers but I first saw it in Firefox) use [ ] to denote IPv6 (I believe that’s it’s original intention anyway) but it also works in IPv4.

Something as simple as http://[123.123.123.123]/img.jpg?unique_id embedded into a page could be used to see if the user is using a proxy, which, as far as I’ve seen - at least using Apache’s proxy, doesn’t understand that syntax and therefore won’t fetch the image. This does give false positives when using something that blocks cross domain requests, and robots that try to stay on the same domain. Anyway, this might be helpful to someone.

This entry was posted on Friday, August 20th, 2010 at 12:52 pm and is filed under Webappsec. Responses are currently closed, but you can trackback from your own site.

11 Responses to “Quick Proxy Detection”

  1. Michael Says:
    August 20th, 2010 at 1:37 pm

    Interestingly it appears that Firefox is also happily with relative or FQDN inside brackets too, i.e. http://[ha.ckers.org]/blog/20100820/quick-proxy-detection/.

  2. RSnake Says:
    August 20th, 2010 at 1:54 pm

    Hah… Strange. Thanks, Michael!

  3. mr.The Says:
    August 20th, 2010 at 2:32 pm

    Wait, i don’t understand.
    If we use proxy, we can’t open something as http://[123.123.123.123]/img.jpg?unique_id ?

  4. RSnake Says:
    August 20th, 2010 at 2:33 pm

    You could, but that wouldn’t be particularly stealthy. Images can be made hidden.

  5. mr.The Says:
    August 20th, 2010 at 2:37 pm

    Ok. I use proxy.

    I go to http://2ip.ru and i see proxy ip.
    Then, i go to http://[2ip.ru]/ and i again see proxy ip.

    What’s wrong?

    Firefox 3.6.8.

  6. RSnake Says:
    August 20th, 2010 at 2:49 pm

    It may be that the proxy you’re using allows it in that case. I tested this on an apache proxy.

  7. mr.The Says:
    August 20th, 2010 at 2:53 pm

    Ok, thanks.

  8. Feross Says:
    August 22nd, 2010 at 10:31 pm

    RSnake, this is awesome! I coded up a proof-of-concept based on your post.

    Proof-of-concept: http://www.feross.org/hacks/detect-proxy/
    Blog post: http://www.feross.org/detect-proxy-usage-in-firefox/

    The one thing I wish I understood better is: why doesn’t Firefox automatically translate [xx.xx.xx.xx] -> xx.xx.xx.xx when it’s using a proxy? In other words, why doesn’t it do the automatic resolution before requesting the resource at xx.xx.xx.xx instead of [xx.xx.xx.xx] from the proxy?

  9. rht Says:
    August 23rd, 2010 at 2:02 am

    well sir i cant get itt????
    and just wana tell u i am a newbie and can u just direct me to how to know nearly 70% of stuff s u know in simplified approach?

  10. Shreyas Zare Says:
    September 16th, 2010 at 12:15 pm

    I just checked it in wireshark. The HTTP response to a site with and without [] is same except for the referer section. I think the proxy server must be getting an issue with [] in referer and hence not serving image. This may not be a case with all proxy servers, though I didnt check it with any specific proxy.

  11. flowcontrol Says:
    December 19th, 2010 at 2:43 pm

    Does this also detect Socks5 proxys?