Open HTTP proxies offer a quick and convenient solution for routing web traffic towards a destination. In contrast to more elaborate relaying systems, such as anonymity networks or VPN services, users can freely connect to an open HTTP proxy without the need to install any special software. Therefore, open HTTP proxies are an attractive option for bypassing IP-based filtering, geo-location restrictions or in-company firewall filtering, circumventing content blocking and censorship and in general, hiding the client’s IP address when accessing a web server. Nevertheless, the consequences of routing traffic through an untrusted third party can be severe, especially when such untrusted parties are used within SMEs, as not only they can pose serious threats to individual users, but also to the cybersecurity of the enterprise.

Rogue web proxy operators can monetize their traffic by altering the relayed content to inject ads and affiliate links, prompt users to download spyware and other unwanted software, or mount phishing attacks. Even more deviously, instead of placing additional ads that may annoy users, miscreants can replace existing ads in the page with their own ads. This can be as simple as replacing a website’s ad network identifier with the attacker’s own affiliate identifier, essentially stealing the revenue of the original website (i.e., publisher).

The proliferation and widespread use of open web proxies necessitate an approach to detect, understand and measure the extent of content modification by such rogue proxies.

To understand and measure the extent of content modification by rogue HTTP proxies, researchers have designed a methodology for detecting and analyzing content alteration and code injection attempts. Specifically, a framework was built that regularly collected publicly available HTTP proxies from several “proxy list” websites and tested them using a novel technique based on decoy websites (dubbed honeysites) under the researchers’ control on a daily basis. The team had also built a content modification detection approach that operated at the level of a page’s DOM (Document Object Model) tree, for detecting even slight object modifications, and a clustering technique for grouping together similar cases of content modification.

The results suggest that 5.15% of the tested proxies perform some form of modification that can be clearly considered malicious. The observed modifications included the injection of extra (or the modification of existing) ads, the inclusion of tracking and fingerprinting libraries, and the collection of data from social networking services on which the user is already authenticated. Besides that, the researchers also discovered more severe and sophisticated instances of malicious behaviour such as SSL (Secure Sockets Layer) stripping. Specifically, 47% of the malicious proxies injected ads, 39% injected code for collecting user information that can be used for tracking and fingerprinting, and 12% attempted to redirect the user to pages that contain malware.

The use of malicious proxies within the IT/OT network of an SME can result into the compromising of key assets of the SME, failures to part or the whole infrastructure, denial of service attacks or user-tracking and even enterprise espionage. As a step towards protecting users and SMEs against unwanted content modification, the researchers built a service that leverages the proposed methodology to collect and probe public proxies automatically and generates a list of safe proxies that do not perform any content modification, on a daily basis. Apart from the whitelisting service provided by the authors and as new security threats both internal and external arise every day, all SMEs must strengthen their day-to-day operation with continuous security training for all employees and use a variety of IT security tools tailored to their specific needs.

Manos Athanatos, based on "A Large-scale Analysis of Content Modification by Open HTTP Proxies."
Foundation for Research and Technology - Hellas

More information: A Large-scale Analysis of Content Modification by Open HTTP Proxies