ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Proxy server

From ForensicsWiki
Revision as of 20:27, 15 October 2008 by Simsong (Talk | contribs)

Jump to: navigation, search

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Proxy server is a server which services the requests of its clients by forwarding requests to other servers.

Overview

Proxy servers are widely used by organizations and individuals for different purposes:

  • Internet sharing (like NAT);
  • Traffic compression;
  • Accelerating service requests by retrieving content from cache;
  • and many others.

Proxy servers are commonly used by individuals who wish to violate network policies.

  • In China, proxy servers are commonly used by individuals to get around national connectivity policies. (User A can't reach website Z, but A can reach proxy server P which can reach website Z).
  • Criminals frequently use proxy servers to hide the origin of their connections (User A connects to website Z through proxy server P; the packets appear to come from P, and not A).

HTTP proxies

These proxy servers are using HTTP.

Example request (direct; with relative URI):

GET / HTTP/1.1
Host: cryptome.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
If-Modified-Since: Tue, 14 Oct 2008 13:59:19 GMT
If-None-Match: "e01922-62e9-45937059ec2de"
Cache-Control: max-age=0

Example request (using proxy; with absolute URI):

GET http://cryptome.org/ HTTP/1.1
Host: cryptome.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
If-Modified-Since: Tue, 14 Oct 2008 13:59:19 GMT
If-None-Match: "e01922-62e9-45937059ec2de"
Cache-Control: max-age=0

Note: this HTTP request was intercepted on the way to proxy server.

According to RFC 2068 (section 5.1.2):

The absoluteURI form is required when the request is being made to a proxy.

Note: proxy server will convert absolute URI to relative URI.

HTTPS proxies

The same as above, but using HTTPS (HTTP over SSL/TLS).

Sometimes HTTP proxies that support CONNECT method are called "HTTPS proxies". These HTTP proxies can tunnel almost every TCP-based protocol.

Example request:

CONNECT home.netscape.com:443 HTTP/1.0
User-agent: Mozilla/1.1N 

SOCKS proxies

SOCKS is an Internet protocol that allows client-server applications to transparently use the services of a network firewall.

Web proxies (CGI proxies)

These are web sites that allow a user to access a site through them. They generally use PHP or CGI to implement the proxy functionality.

Proxy detection

Headers

  • Other

TCP source ports

Active methods