I recently read about an interesting browser information leak on ha.ckers.org and decided to code up a proof-of-concept.

It allows a malicious website to detect whether the user is browsing through a proxy or not by using image tags. Proxies are often used by corporations, political dissidents, and privacy conscience Internet users because they can provide additional security or anonymous Internet browsing.

Here’s how the exploit works

Firefox uses square brackets [ ] to denote IPv6 addresses, but this notation also works to describe IPv4 addresses (I’m not sure exactly why).

So, if we embed an image with src="http://[]/pic.jpg" into a page, Firefox automatically resolves [] into the IP address

However, if the user is browsing through a proxy, this automatic resolution doesn’t happen. Instead, Firefox asks the proxy to do a DNS lookup for the “domain” [], which obviously fails since it’s not a valid domain name.

Most proxies don’t know how to handle the bracketed domain, so the DNS lookup fails. I’ve tested this on Tor (popular proxy for anonymous Internet browsing), PHP Proxy and CGI Proxy (the top two web-based proxies), and Proxify (popular commercial web proxy).

So, if the image fails to load, we know that the user is browsing through a proxy. Add some Javascript to detect when the image fails to load and you’ve got a working proxy detector.

View the demo. (Works in: Firefox 3, Safari 5)

This, of course, assumes that the user is not blocking cross-domain requests. Also, my implementation requires Javascript to be enabled, but that’s not a necessity.

Here’s the code I wrote

<script type="text/javascript" charset="utf-8">
    function setUsingProxy() {
        proxy = document.getElementById('proxy');
        proxy.style.display = 'block';
        no_proxy = document.getElementById('no_proxy');
        no_proxy.style.display = 'none';

<div id="proxy" style="display:none;"> You are accessing the Internet through a proxy (corporate proxy, VPN, or <a href="http://www.torproject.org/">Tor</a>). </div>

<div id="no_proxy"> You are accessing the Internet directly. No proxy. </div>

<img src="http://[]/organize.jpg" style="height:0;width:0;display:none;" onerror="setUsingProxy()">

This attack only affects Firefox and Safari, as far as I can tell.

Credit for the idea, as I mentioned above, goes to Ha.ckers - Quick Proxy Detection.

Update (8/25/2012)

Code is now available on Github.

(If you liked this, you might like How To Set Up Your Linode For Maximum Awesomeness.)

Thanks for reading! RSS Feed Icon

Feross Aboukhadijeh I'm Feross, a programmer, entrepreneur, open sorcerer, and mad scientist.

I build WebTorrent, a torrent library for the web, WebTorrent Desktop, the best desktop torrent app, and Standard, a JavaScript linter. In my free time, I build Play, a music video app and NodeFoo, a Node.js documentation site.

I also maintain 100+ packages on npm. All my code is freely accessible on my GitHub page. If you like my work, support me on Patreon. Thanks to all my awesome supporters!

Lastly, I run Study Notes, a site to help students study better and get into college, and have done that since I was in high school myself.

If you enjoyed this article, you should follow me on Twitter or sign up to get an email whenever I write something new:

Share this article with your friends: