Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
PHP Proxy Detection
Posted by: unsticky
Date: November 20, 2006 03:37PM

I didn't really know where this belonged, but meh. If it needs to be somewhere else, please move it... Can't have your great-grandma porn in with your grandma porn, ya' know? Kay, anyways, I've found that you can detect if a visitor is using PHProxy pretty reliably. I was playing around with a copy of it, making some changes, and I checked what sort of headers it was sending out, using my version of rsnake's log.cgi, newbert.org. Everything was pretty much normal except the HTTP_HOST header, which had a port. IE. HTTP_HOST=newbert.org:80. This was strange since the it's usually assumed the HTTP port will be 80, so I checked the source code. Sure enough, the proxy is set up to always send out the HTTP_HOST header as SERVER:PORT. Since I doubt that's a very common thing to do, one might be able to use this as additional proxy detection.

Options: ReplyQuote
Re: PHP Proxy Detection
Posted by: jungsonn
Date: November 20, 2006 04:12PM

Yes it is, it runs from port 80 cause it's a script that is being runned from a server. I'll go download me a copy to see what it does.

Options: ReplyQuote
Re: PHP Proxy Detection
Posted by: rsnake
Date: November 20, 2006 04:35PM

unsticky, that's exactly right. I've seen weird anomalies like this before. It's very easy to detect if you know what you're looking at. But often times you have to be careful because two or more things can have the same signature and mean something completely different. I use a set of heuristics for most of my detection, but you're on the right track.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.