Anonymous Proxy Woes
Marco commented that the CSS history hack doesn’t work with hidemyass.com. Never having been there, I found myself clicking around on their site to find that it’s yet another CGI proxy. So after a few minutes of playing around here is the list of problems or potential problems I have with hidemyass.com and most of the the sites that are similar. Here are the top 10 biggest problems that I see (yes I had to limit myself to 10 because this list was getting out of control), in no particular order:
#1 – First thing I did was go to Youtube, and then I visited one of my own sites. It turns out that cookies set by Youtube are sent to my site on subsequent requests. So there is no cross domain boundaries for cookies. That’s a huge no-no and would easily de-obfuscate where you’ve been, not to mention giving the other site access to your account.
#2 – The site sends a referrer of the hidemyass.com website, so you can easily see that the user came from there.
#3 – The site is still vulnerable to the CSS history hack, but instead of picking one of the sub-urls, you’d just pick the main one of http://hidemyass.com/ and poof!
#4 – The proxy doesn’t re-write the JavaScript, so it’s easy to just call yourself in the JavaScript to see that they are using this service.
#5 – Since every site resides on the same CGI proxy’d domain it’s trivial to see what other domains have been logged into and more importantly, what the content is on those other pages.
#6 – What happens when the site is SSL? Does it even work or does it downgrade you into non-ssl? Either way…
#7 – Same question as above, but what about FTP, SMB and all the other protocols out there…? Either they work or they don’t. Either way, bad news.
#8 – The IP addresses aren’t diverse enough – usually the same set of a handful of IPs, and therefore can be tracked, and/or can cause flood limits on sites looking for that sort of thing.
#9 – Sites like these tend to be run by bad guys, and tend to log whatever information is sent over the wire. What a great place to man in the middle someone – right? Even if they weren’t run by bad guys, they could easily be hacked into in many cases, in which case, every user who utilizes it is potentially in danger.
#10 – Sites like this tend to muck with the HTML of the page they output, making them trivial to detect in JavaScript space, and worse yet, they often can cause major CSS collisions with other page content, or even be overwritten in such a way that the user thinks they are interacting with the CGI Proxy and doing something benign but in fact the user is performing an action that can hurt them.
So yeah, please don’t use CGI proxies, unless you really know what you’re doing. They really very rarely increase your security. Most of the time, they just decrease it, as a matter of fact. And yes, this applies to the dozen or so other sites that the same company runs and the hundreds of others you find mentioned on digg.com and the like. Avoid them, unless you simply don’t care about any of these risks.
View full post on ha.ckers.org web application security lab
15 Comments
RSS feed for comments on this post.
Sorry, the comment form is closed at this time.
Some Content may originate from third party websites(i.e. Amazon, Yahoo Answers, Youtube)Internet SecuritT Group LLC is not responsible or liable for the content of any third party affiliate
All third party content is property of the respective owners.
What about something UltraSurf? Do it suffer from the same or similar problems?
@woohoo – It’s a binary, so it won’t have exactly the same issues, probably, but I’m not too excited about downloading and running a random binary off the Internet either.
I love UltraSurf! Super fast.
Tis true. Unfortunately it is the only reason I am currently able to read this site
I’d try tor (which I have audited for security issues as well as people far better them I) but the speed issue is a big problem.
I’m more concerned about bypassing censorship then I am in remaining anonymous (at this moment in time).
Can you recommend anything better?
I’d probably try to treat it the same as an open wireless hotspot. Sure, you can browse through it and maintain some anonymity, but you really shouldn’t log into anything at all or go anyplace that indicates who you are or use a browser you’ve used for sure purposes. Basically, browse the web as anonymous and you should be fine. Avoiding censorship should also be ok, within reason (of a subpeona or crazy-rigid government eavesdropping).
Then you’re hopefully only needing to worry about #10, which is true with open wireless anyway.
If you want *REAL* anonymity, use Tor and Torbutton (the details are explained on the website).
Torbutton – a firefox addon- will disbale Flash, JS and similair features to decrease the probability of being decloaked
If you just want to send a request originating from a foreign IP, use a proxy like hidemyass.com – but as RSnake said: you gotta know what you’re doing
also
#11 – the standard nph-proxy.cgi script by jmarshall contains a cross-site scripting bug
In general (I think) I know what I’m doing.
I’m looking for people who know more than me however to confirm or deny what I think I know
I have foxyproxy set up with tor as an option – but the speed is the biggest issue when I’m not concerned with anonymity.
PS @Rsnake and LonerVamp – thanks
Surely the man in the middle risk is even higher with TOR than cgi proxies, as anyone can be a TOR exit node. Although I guess that by running TOR through a https cgi proxy you could eliminate the TOR exit node eavesdropping risk. Either way it comes down to trust.
Regarding TOR, the man in the middle risk is at least as high as with a cgi proxy because anybody can become a TOR exit node. Also, I think your ISP can see everything, and they probably mark TOR traffic as suspicious.
At least HTTPS cgi proxies stop your ISP from seeing what you’re doing… right?
@woohoo – So you are trying to bypass censorship? Have you looked into forwarding traffic through a SSH tunnel? I believe you can forward your DNS traffic as well. The only problem is finding someone a SSH service with no bandwidth limits.
SSH would be good for forwarding a port or two, but a VPN would be better for all the connections from your computer.
Or if you have a friend or family in another country you could look into the Psiphon program.
hxxp://en.wikipedia.org/wiki/Psiphon
@Thursday – If your ISP sees all your traffic then SSL becomes vulnerable to man in the middle attacks. Running TOR through a SSL proxy would not improve any of your security. Yes the TOR end node sees all the traffic, but now your SSL proxy is the end node.
@ChosenOne – There is no such thing as “real” anonymity on the internet; only varying degrees of obfuscation. Also I believe RSnake just pointed out that hidemyass and such services are actually very bad for security. So even using them through TOR is a bad idea…
Hey Webappsec, what’s up?
Thanks for the post and explaining new ways of using the CSS trick.
I don’t use or suggest the use of any kind of proxy, Hidemyass.com and Kproxy.com were the first webproxies that came on my mind to test the CSS hack, there is nothing special about them.
The only reason I commented that post was how simple it was to detect a lot of proxies, without any configuration, using CSS. There are a lot of ways to detect a proxy connection, but no one as close to this simplicity and efficiency.
So, once again, nice job. And if you could write something about using traceroutes to detect proxies it would be a blast.
Take care.
The issue in #1 is appears to be the same one described here:
http://www.kb.cert.org/vuls/id/261869
In general, I don’t really even trust my ISP, nevermind hotspots or proxies. Highly considering a 4G/WiMax solution.
I thought I’d share this proxy site I found, because its hilarious for many reasons:
http://learninginvestment.com/a/
I found this in my web logging software for someone who visited a site (though Facebook). At first I didn’t understand how this site linked to me, but then I noticed the field and go button, and at the bottom saw the credits for the proxy. In good news, if they took out the credits for the proxy, this might be very good to use in a situation where you don’t want people to know you are using a proxy (China maybe?), but I am sure people still click on the ads and there is at least 4 pop-ups when you go to a URL, mangled output, and the first time i visited it wanted me to download a random PDF (0-dayyed attack maybe, but I didn’t even both checking).
So what is the price to pay for pseudo privacy. I feel like most people are serious about security probably use tor or something, and the people using this technology are kids at school or office workers, which means exploits and virus spread most likely. And to think, if they just trusted their users, then they would only be clicking on the most obvious of malicious content.