How can hackers bypass proxy servers?

Organizations often have their internal users connect to the Internet through a proxy server. These proxies provide centralized control points for filtering and analysis, potentially even blocking employees from surfing to inappropriate Web sites. As a performance bump, these proxies typically offer caching support as well. So, how do users bypass proxy servers? There are several approaches.

First, a surprising number of corporate networks with outbound proxies allow HTTP and HTTPS to be sent in two ways: either through the proxy itself, or formulated raw from the desktop, avoiding the proxy. Some of these organizations allow this proxy/non-proxy access because of the preponderance of applications -- often Java applets -- that speak HTTP but are not proxy-aware. To avoid this problem, I prefer to deploy transparent proxies in a network, rather than allow non-proxied Internet access that supports certain applications.

Even with organizations that completely block non-proxied HTTP and HTTPS access, an attacker can still bypass the proxy in a number of ways. To access forbidden sites, an attacker may encode his or her URLs in a variety of different formats, such as the hexadecimal representation of the American Standard Code for Information Interchange (ASCII), rather than the "normal" view. Thus, the Web site www.forbiddenstufftoavoid.com becomes %77%77%77%2e%66%6f%72%62%69%64%64%65%6e%73%74%75%66%66%74%6f%61%76%6f%69%64%2e%63%6f%6d. An attacker could also try to use an IP address instead of a domain name, or use Unicode instead of the "hex" representation. There are hundreds of different obscuring routines, and some of them work against various proxies.

To evade the filtering, an attacker can also try a different protocol altogether. One option here is to retrieve Web pages via email, a service offered at several locations on the Internet, such as the free web2mail.com. A subscriber can email a URL to the service, and its mail server then fetches the page and emails it back so the subscriber can view it in an HTML-enabled email reader; most email readers, in fact, are HTML-enabled.

Attackers can also access blocked content by surfing through an organization's outbound proxy to then go to another proxy, through which one can surf. The first proxy only sees the connection to the second one, and the second one doesn't enable any restrictions. There are thousands of these types of proxies available on the Internet today.

While those are just a few of the most popular methods for bypassing filtering proxies, what if an attacker's goal isn't to dodge filtering proxies, but instead to steal outbound data using HTTP and/or HTTPS? The attacker, for example, might have some spyware running inside an organization, and a Web site running on the outside, hoping to somehow spew internal data to the external server. The only obstacle is a pesky little proxy. In this scenario, where the attacker controls the client and the server, the attacker can simply try another TCP port, or use a variety of tools that try to tunnel data through the proxy.

Another use of proxy servers involves inbound access, the so-called "reverse proxy" deployment. This architecture offers protective filtering, analysis and authentication capabilities for a Web server. To bypass these proxies, attackers can rely on non-standard ports or tunneling tricks, or they can attack the proxy server itself.

Historically, some proxy technologies have suffered from configuration errors or buffer-overflow conditions. By exploiting these flaws, an attacker might be able to take over the proxy device itself, and then reconfigure it so that he or she can get unfettered access to a protected server.

More information: