Detect Proxy Usage in Firefox

I recently read about an interesting browser information leak on ha.ckers.org and decided to code up a proof-of-concept.

It allows a malicious website to detect whether the user is browsing through a proxy or not by using image tags. Proxies are often used by corporations, political dissidents, and privacy conscience Internet users because they can provide additional security or anonymous Internet browsing.

Here’s how the exploit works

Firefox uses square brackets [ ] to denote IPv6 addresses, but this notation also works to describe IPv4 addresses (I’m not sure exactly why).

So, if we embed an image with src="http://[74.207.246.197]/pic.jpg" into a page, Firefox automatically resolves [74.207.246.197] into the IP address 74.207.246.197.

However, if the user is browsing through a proxy, this automatic resolution doesn’t happen. Instead, Firefox asks the proxy to do a DNS lookup for the “domain” [74.207.246.197], which obviously fails since it’s not a valid domain name.

Most proxies don’t know how to handle the bracketed domain, so the DNS lookup fails. I’ve tested this on Tor (popular proxy for anonymous Internet browsing), PHP Proxy and CGI Proxy (the top two web-based proxies), and Proxify (popular commercial web proxy).

So, if the image fails to load, we know that the user is browsing through a proxy. Add some Javascript to detect when the image fails to load and you’ve got a working proxy detector.

View the demo. (Works in: Firefox 3, Safari 5)

This, of course, assumes that the user is not blocking cross-domain requests. Also, my implementation requires Javascript to be enabled, but that’s not a necessity.

Here’s the code I wrote

<script type="text/javascript" charset="utf-8">
    function setUsingProxy() {
        proxy = document.getElementById('proxy');
        proxy.style.display = 'block';
        no_proxy = document.getElementById('no_proxy');
        no_proxy.style.display = 'none';
    }
</script>

<div id="proxy" style="display:none;">
    You are accessing the Internet through a proxy (corporate proxy, VPN, or <a href="http://www.torproject.org/">Tor</a>).
</div>

<div id="no_proxy">
    You are accessing the Internet directly. No proxy.
</div>

<img src="http://[74.207.246.197]/organize.jpg" style="height:0;width:0;display:none;" onerror="setUsingProxy()">

This attack only affects Firefox and Safari, as far as I can tell.

Credit for the idea, as I mentioned above, goes to Ha.ckers – Quick Proxy Detection.

Update (8/25/2012)

Code is now available on Github.

(If you liked this, you might like How To Set Up Your Linode For Maximum Awesomeness.)

Discussion, links, and tweets RSS Feed Icon

Feross Aboukhadijeh Hey, thanks for reading! I'm Feross Aboukhadijeh, a programmer, designer, teacher, and mad scientist. I am currently building WebTorrent, a streaming BitTorrent client for the browser, powered by WebRTC. In my free time, I work on StudyNotes, a website to help students study better and get into college.

If you enjoyed this article, you should follow me on Twitter or sign up to get an email whenever I write something new:

Share this article with your friends:

comments powered by Disqus