Difference between revisions of "Proxy server"

From ForensicsWiki
Jump to: navigation, search
m (removed category: Encryption :))
m
Line 14: Line 14:
 
Proxy servers are often used for malicious purposes (such as fraud).
 
Proxy servers are often used for malicious purposes (such as fraud).
  
== HTTP proxies ==
+
=== HTTP proxies ===
  
 
''These proxy servers are using HTTP.''
 
''These proxy servers are using HTTP.''
Line 52: Line 52:
 
The absoluteURI form is required when the request is being made to a proxy.
 
The absoluteURI form is required when the request is being made to a proxy.
 
</pre>
 
</pre>
 +
''Note:'' proxy server will convert absolute URI to relative URI.
  
== HTTPS proxies ==
+
=== HTTPS proxies ===
  
 
''The same as above, but using HTTPS (HTTP over SSL/TLS).''
 
''The same as above, but using HTTPS (HTTP over SSL/TLS).''
Line 65: Line 66:
 
</pre>
 
</pre>
  
== SOCKS proxies ==
+
=== SOCKS proxies ===
  
 
SOCKS is an Internet protocol that allows client-server applications to transparently use the services of a network firewall.
 
SOCKS is an Internet protocol that allows client-server applications to transparently use the services of a network firewall.
  
== Web proxies (CGI proxies) ==
+
=== Web proxies (CGI proxies) ===
  
 
These are web sites that allow a user to access a site through them. They generally use PHP or CGI to implement the proxy functionality.
 
These are web sites that allow a user to access a site through them. They generally use PHP or CGI to implement the proxy functionality.
  
 
== Proxy detection ==
 
== Proxy detection ==
 +
 +
=== Headers ===
 +
 +
* User-Agent and [[OS fingerprinting]]
 +
 +
* Other
 +
 +
=== TCP source ports ===
 +
 +
=== Active methods ===
  
 
[[Category:Anti-Forensics]]
 
[[Category:Anti-Forensics]]
 
[[Category:Network Forensics]]
 
[[Category:Network Forensics]]

Revision as of 14:27, 15 October 2008

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Proxy server is a server which services the requests of its clients by forwarding requests to other servers.

Overview

Proxy servers are widely used by organizations and individuals for different purposes:

  • Internet sharing (like NAT);
  • Traffic compression;
  • Accelerating service requests by retrieving content from cache;
  • and many others.

Proxy servers are often used for malicious purposes (such as fraud).

HTTP proxies

These proxy servers are using HTTP.

Example request (direct; with relative URI):

GET / HTTP/1.1
Host: cryptome.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
If-Modified-Since: Tue, 14 Oct 2008 13:59:19 GMT
If-None-Match: "e01922-62e9-45937059ec2de"
Cache-Control: max-age=0

Example request (using proxy; with absolute URI):

GET http://cryptome.org/ HTTP/1.1
Host: cryptome.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
If-Modified-Since: Tue, 14 Oct 2008 13:59:19 GMT
If-None-Match: "e01922-62e9-45937059ec2de"
Cache-Control: max-age=0

Note: this HTTP request was intercepted on the way to proxy server.

According to RFC 2068 (section 5.1.2):

The absoluteURI form is required when the request is being made to a proxy.

Note: proxy server will convert absolute URI to relative URI.

HTTPS proxies

The same as above, but using HTTPS (HTTP over SSL/TLS).

Sometimes HTTP proxies that support CONNECT method are called "HTTPS proxies". These HTTP proxies can tunnel almost every TCP-based protocol.

Example request:

CONNECT home.netscape.com:443 HTTP/1.0
User-agent: Mozilla/1.1N 

SOCKS proxies

SOCKS is an Internet protocol that allows client-server applications to transparently use the services of a network firewall.

Web proxies (CGI proxies)

These are web sites that allow a user to access a site through them. They generally use PHP or CGI to implement the proxy functionality.

Proxy detection

Headers

  • Other

TCP source ports

Active methods