Main

Bypassing proxy anonymization

8 October 2007


Proxies are a very vital resource if you want to stay anonymous online. Ofcourse, there are a couple of ways to compromise that anonymity, and I'm going to explain one of them.

True, you can't really get to the real IP address behind an "elite" proxy from the server side. However, let's not forget the client side, as it should provide us with the answer we're looking for.

Webapps today can easily send HTTP requests and even open sockets using stuff like AJAX (Javascript), Flash and Java Applets. Normally, you would expect the plugins to obey the browsers' proxy settings, but in certain circumstances this isn't so.

Sockets don't have to use the HTTP protocol, so they can't go through HTTP proxies by default. Even if you do use the HTTP protocol and connect to port 80, the system still isn't going to enforce the proxy settings on your connection. This makes sense, but also compromises the security a proxy can provide.

And yet, it just so happens that the JavaScript way to open a socket isn't cross browser, and the Flash way requires communications across an nonstandard port (1024+). This is bad for a couple of reasons. First, the server will have to listen on an arbitrary port, a feature that most web hosting companies won't provide (so this will require a dedicated server). Second, if the user is behind a firewall, the communications could be blocked.

For reference, here are two sources that demonstrate both ways:
JS: http://ha.ckers.org/blog/20070926/de-anonymizing-tor-and-detecting-proxies/
Flash: http://hackademix.net/2007/09/26/cross-browser-proxy-unmasking/

So, the last reliable way to bypass a proxy is to utilize a Java Applet. It can communicate through port 80, and JVM is a very trusted and popular plugin (usually built in). I've set up a small demo for you here : http://own-the.net/ip/demo.php . Just set some proxy settings, and watch the applet discover your real IP.

You can get the .java source here: http://own-the.net/ip/IpApplet.java . The source is commented, and pretty self explanatory. The "ip.php" file just echoes the $_SERVER["REMOTE_ADDR"] value within <ip> and </ip> tags (in an XML-like fashion).

Now you may think that proxies are dead, but wait just a moment. You can simply disable scripting, flash and applets in your browser settings, and be safe again. Remember to go "NoScript" every time you need anonymity, and it will be fine. Consequently, this anti-anonymization trick won't work on experienced users, but it will still help in 90% of the cases. This tactic still remains quite useful and accurate.

An that's it for now.
See you on my next post.

Posted by: kGen | In category: Webappsec | Comments (0)