How can hackers bypass proxy servers?

BROWSE BY TAG Network Intrusion Detection and Analysis,   Enterprise Network Security,   Monitoring Network Traffic and Network Forensics,   Expert Archive: Information Security Threats,   Application and Platform Security,   Web Security Tools and Best Practices,   Web Server Threats and Countermeasures,   Web Application and Web 2.0 Threats,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Monitoring Network Traffic and Network Forensics Botnet masters turn to Google, social networks to avoid detection Preventing SQL injection attacks: A network admin's perspective Breach prevention: How to keep track of data and applications Researchers find thousands of flawed embedded devices Network traffic collection, analysis helps prevent data breaches Lifecycle of a network security vulnerability Port scan attack prevention best practices How to prevent network sniffing and eavesdropping DoD urges less network anonymity, more PKI use Chained Exploits: How to prevent phishing attacks from corporate spies Expert Archive: Information Security Threats The telltale signs of a network attack Will Google Chrome enhance overall browser security? Are there antivirus suites that pick up more than just run-of-the-mill viruses? What tools can a hacker use to crack a laptop password? Are social networking sites an easy target for malicious hackers? What are the dangers of cross-site request forgery attacks (CSRF)? Should social engineering tests be included in penetration testing? What kind of data is compromised during a Google hack? Best practices for using restriction policy whitelists Defining mobile device security concerns Web Server Threats and Countermeasures Increase in Gumblar backdoors poses FTP credential problems VeriSign extends DDoS attack protection service Microsoft issues IIS FTP advisory, exploit code circulates Panda reports fast-spreading rogueware antivirus fraud rakes in millions Oracle issues quarterly patches, fixes database flaws Latest DDoS attacks extremely unsophisticated, experts say Stolen FTP credentials likely in massive website attacks Microsoft warns of IIS zero-day vulnerability How to find and stop automated SQL injection attacks How to spot attacks through Apache Web server log analysis

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bridge  (SearchSecurity.com) computer forensics  (SearchSecurity.com) Einstein  (SearchSecurity.com) footprinting  (SearchSecurity.com) information signature  (SearchSecurity.com) inverse mapping  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) network forensics  (SearchSecurity.com) promiscuous mode  (SearchSecurity.com) snoop server  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

The phrase "bypass proxy servers" can mean several things, depending on how the proxy server is used, so let's look at a couple of proxy-deployment architectures and their associated bypass methods. To keep this answer to a manageable size, I'm going to focus on HTTP and HTTPS proxies. But keep in mind that the ideas below apply to other protocols as well.

Organizations often have their internal users connect to the Internet through a proxy server. These proxies provide centralized control points for filtering and analysis, potentially even blocking employees from surfing to inappropriate Web sites. As a performance bump, these proxies typically offer caching support as well. So, how do users bypass proxy servers? There are several approaches.

First, a surprising number of corporate networks with outbound proxies allow HTTP and HTTPS to be sent in two ways: either through the proxy itself, or formulated raw from the desktop, avoiding the proxy. Some of these organizations allow this proxy/non-proxy access because of the preponderance of applications -- often Java applets -- that speak HTTP but are not proxy-aware. To avoid this problem, I prefer to deploy transparent proxies in a network, rather than allow non-proxied Internet access that supports certain applications.

Even with organizations that completely block non-proxied HTTP and HTTPS access, an attacker can still bypass the proxy in a number of ways. To access forbidden sites, an attacker may encode his or her URLs in a variety of different formats, such as the hexadecimal representation of the American Standard Code for Information Interchange (ASCII), rather than the "normal" view. Thus, the Web site www.forbiddenstufftoavoid.com becomes %77%77%77%2e%66%6f%72%62%69%64%64%65%6e%73%74%75%66%66%74%6f%61%76%6f%69%64%2e%63%6f%6d. An attacker could also try to use an IP address instead of a domain name, or use Unicode instead of the "hex" representation. There are hundreds of different obscuring routines, and some of them work against various proxies.

To evade the filtering, an attacker can also try a different protocol altogether. One option here is to retrieve Web pages via email, a service offered at several locations on the Internet, such as the free web2mail.com. A subscriber can email a URL to the service, and its mail server then fetches the page and emails it back so the subscriber can view it in an HTML-enabled email reader; most email readers, in fact, are HTML-enabled.

Attackers can also access blocked content by surfing through an organization's outbound proxy to then go to another proxy, through which one can surf. The first proxy only sees the connection to the second one, and the second one doesn't enable any restrictions. There are thousands of these types of proxies available on the Internet today.

While those are just a few of the most popular methods for bypassing filtering proxies, what if an attacker's goal isn't to dodge filtering proxies, but instead to steal outbound data using HTTP and/or HTTPS? The attacker, for example, might have some spyware running inside an organization, and a Web site running on the outside, hoping to somehow spew internal data to the external server. The only obstacle is a pesky little proxy. In this scenario, where the attacker controls the client and the server, the attacker can simply try another TCP port, or use a variety of tools that try to tunnel data through the proxy.

Another use of proxy servers involves inbound access, the so-called "reverse proxy" deployment. This architecture offers protective filtering, analysis and authentication capabilities for a Web server. To bypass these proxies, attackers can rely on non-standard ports or tunneling tricks, or they can attack the proxy server itself.

Historically, some proxy technologies have suffered from configuration errors or buffer-overflow conditions. By exploiting these flaws, an attacker might be able to take over the proxy device itself, and then reconfigure it so that he or she can get unfettered access to a protected server.

More information: