Webproxy anonymity weakness through dynamic javascript

Release date: 12/15/2008
Source: Cloakfish.com

Programs affected



Overview


Web-proxies suffer from a weakness in their design resulting in a possible leak of the real IP address.
No web-proxy can be trusted to protect the own identity.

Description


Web-proxies are a common and frequently used anonymity service. A web-proxy is based on a script (cgi,perl,php,...) running on a webserver.
Most web-proxies can be used free of charge, they are usually used to present advertisements to the user.
A web-proxy translates all links and sources of the target website and replaces them with new dynamic links at the web-proxy.
All data transfers happen by the web-proxy but activated javascript, which is usually a default configuration, enables several methods to obtain the real IP.

Usual javascript sources are replaced like any other sources, but there are several ways to circumvent this protection.
Dynamic javascript can be used to load a remote source through the real client.

Impact


Successful exploitation of this vulnerability reveals the real IP-Address of the User who trust in the service to protect his identity.

Solution


The weakness lies in the design concept, the only protection against this sort of vulnerability is to disable javascript, active-x and similar features within the browser.
Solving this single vulnerability within the script is unlikely to solve the design issue.

Proof of Concept


Web-proxy analyzer append &webproxy=1 on the URL to force webproxy detection