diff options
| author | Root THC | 2026-02-24 12:42:47 +0000 |
|---|---|---|
| committer | Root THC | 2026-02-24 12:42:47 +0000 |
| commit | c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch) | |
| tree | aefc355416b561111819de159ccbd86c3004cf88 /informationals/teso-i0009.txt | |
| parent | 073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff) | |
initial
Diffstat (limited to 'informationals/teso-i0009.txt')
| -rw-r--r-- | informationals/teso-i0009.txt | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/informationals/teso-i0009.txt b/informationals/teso-i0009.txt new file mode 100644 index 0000000..ec4378d --- /dev/null +++ b/informationals/teso-i0009.txt | |||
| @@ -0,0 +1,65 @@ | |||
| 1 | 0009 2000/01/26 HTTP proxy forwarding | ||
| 2 | |||
| 3 | ==== TESO Informational ======================================================= | ||
| 4 | This piece of information is to be kept confidential. | ||
| 5 | =============================================================================== | ||
| 6 | |||
| 7 | Description ..........: HTTP proxy forwarding | ||
| 8 | Date .................: 2000/01/26 12:15 | ||
| 9 | Author ...............: scut | ||
| 10 | Publicity level ......: public and widely known for a long time | ||
| 11 | Affected .............: HTTP proxy servers | ||
| 12 | Type of entity .......: misconfiguration | ||
| 13 | Type of discovery ....: useful information | ||
| 14 | Severity/Importance ..: low | ||
| 15 | Found by .............: ? | ||
| 16 | |||
| 17 | Information =================================================================== | ||
| 18 | |||
| 19 | HTTP proxy servers such as Squid offer multiple methods of request forwarding. | ||
| 20 | The basic HTTP protocol defines three main types, that are called GET, POST and | ||
| 21 | CONNECT. The GET type is the one your browser uses if you just want to retrieve | ||
| 22 | a file from a remote HTTP server. The POST type is used for longer form data, | ||
| 23 | while the CONNECT type is usually used to access HTTPS servers through HTTP | ||
| 24 | proxy servers. While there are still lots of open HTTP proxy servers out there | ||
| 25 | (several thousands I've found so far) that do allow the GET request to be used, | ||
| 26 | only a few hundreds allow the POST and CONNECT requests. | ||
| 27 | |||
| 28 | The CONNECT request allows TCP connection forwarding nearly all of the times, | ||
| 29 | just try: | ||
| 30 | |||
| 31 | ------- | ||
| 32 | xolon:~$ telnet <some-old-squid-server> 3128 | ||
| 33 | Trying xxx... | ||
| 34 | Connected to xxx. | ||
| 35 | Escape character is '^]'. | ||
| 36 | CONNECT ip-removed:21 HTTP/1.0 | ||
| 37 | |||
| 38 | HTTP/1.0 200 Connection established | ||
| 39 | |||
| 40 | 220 xxx FTP server (Version wu-2.5.0(1) Sat Sep 11 01:19:26 CEST 1999) ready. | ||
| 41 | ------- | ||
| 42 | |||
| 43 | Where "CONNECT <ip>:<port> HTTP/1.0" is followed by two carriage return | ||
| 44 | characters. If the CONNECT method works, it is usually very reliable, but the | ||
| 45 | connection is limited to two hours usually, then it gets removed by the proxy | ||
| 46 | server. The POST method is a bit more complicated, since it sometimes not | ||
| 47 | offer a real TCP connection forward, but just a buffered single-direction | ||
| 48 | forwarder. But for other servers it sometimes behaves like a normal CONNECT | ||
| 49 | request, offering you a complete unbuffered TCP connection relay. The request | ||
| 50 | looks like: | ||
| 51 | |||
| 52 | POST http://<ip>:<port>/ HTTP/1.0<cr><cr> | ||
| 53 | |||
| 54 | The "numby" HTTP proxy scanner can check for all three methods and can tell | ||
| 55 | whether a connection forward is reliable and one- or two-directional. | ||
| 56 | |||
| 57 | From scanning nearly 4000 proxy servers here are some statistics: | ||
| 58 | |||
| 59 | 3815 HTTP proxies scanned | ||
| 60 | 727 open GET servers | ||
| 61 | 114 open CONNECT servers | ||
| 62 | 21 open POST servers | ||
| 63 | |||
| 64 | =============================================================================== | ||
| 65 | |||