I recently read about an interesting browser information leak on ha.ckers.org and decided to code up a proof-of-concept.

It allows a malicious website to detect whether the user is browsing through a proxy or not by using image tags. Proxies are often used by corporations, political dissidents, and privacy conscience Internet users because they can provide additional security or anonymous Internet browsing.

Here’s how the exploit works

Firefox uses square brackets [ ] to denote IPv6 addresses, but this notation also works to describe IPv4 addresses (I’m not sure exactly why).

So, if we embed an image with src="http://[74.207.246.197]/pic.jpg" into a page, Firefox automatically resolves [74.207.246.197] into the IP address 74.207.246.197.

However, if the user is browsing through a proxy, this automatic resolution doesn’t happen. Instead, Firefox asks the proxy to do a DNS lookup for the “domain” [74.207.246.197], which obviously fails since it’s not a valid domain name.

Most proxies don’t know how to handle the bracketed domain, so the DNS lookup fails. I’ve tested this on Tor (popular proxy for anonymous Internet browsing), PHP Proxy and CGI Proxy (the top two web-based proxies), and Proxify (popular commercial web proxy).

So, if the image fails to load, we know that the user is browsing through a proxy. Add some Javascript to detect when the image fails to load and you’ve got a working proxy detector.

View the demo. (Works in: Firefox 3, Safari 5)

This, of course, assumes that the user is not blocking cross-domain requests. Also, my implementation requires Javascript to be enabled, but that’s not a necessity.

Here’s the code I wrote

<script type="text/javascript" charset="utf-8">
    function setUsingProxy() {
        proxy = document.getElementById('proxy');
        proxy.style.display = 'block';
        no_proxy = document.getElementById('no_proxy');
        no_proxy.style.display = 'none';
    }
</script>

<div id="proxy" style="display:none;"> You are accessing the Internet through a proxy (corporate proxy, VPN, or <a href="http://www.torproject.org/">Tor</a>). </div>

<div id="no_proxy"> You are accessing the Internet directly. No proxy. </div>

<img src="http://[74.207.246.197]/organize.jpg" style="height:0;width:0;display:none;" onerror="setUsingProxy()">

This attack only affects Firefox and Safari, as far as I can tell.

Credit for the idea, as I mentioned above, goes to Ha.ckers - Quick Proxy Detection.

Update (8/25/2012)

Code is now available on Github.

(If you liked this, you might like How To Set Up Your Linode For Maximum Awesomeness.)

Thanks for reading! RSS Feed Icon

Feross Aboukhadijeh I'm Feross, an entrepreneur, programmer, open source maintainer, startup founder, and mad scientist.

I build web apps like BitMidi, a free MIDI database, and Play, a music video app, and Study Notes, a site to help students study better and get into college.

I also build WebTorrent, a torrent library for the web, WebTorrent Desktop, the best desktop torrent app, and Standard JS, a JavaScript linter.

I maintain 100+ packages on npm. All my code is freely accessible on my GitHub page. If you enjoy my work support me on Patreon like these amazing supporters.

If you enjoyed this post, you should follow me on Twitter.

Or, sign up to get an email whenever I write a post: