1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is it possible to write a script that can detect use of proxy (Fiddler, Charles)

Discussion in 'General Scripting Chat' started by xenodk, Oct 10, 2012.

Tags:
  1. xenodk

    xenodk Newbie

    Joined:
    Sep 29, 2012
    Messages:
    1
    Likes Received:
    0
    Anyone know if its possible to detect the use of a web debugger like Fiddler or Charles, they use proxy server to monitor the traffic. I am willing to pay for a working solution. Its for a redirect and cloaking setup.

    Regards

    Xenodk
     
  2. sockpuppet

    sockpuppet Junior Member

    Joined:
    Nov 7, 2011
    Messages:
    155
    Likes Received:
    145
    you mean javascript that runs on your website or some serverside script?
    impossible.
     
  3. CodingAndStuff

    CodingAndStuff Regular Member

    Joined:
    May 6, 2012
    Messages:
    236
    Likes Received:
    84
    Occupation:
    Swagstronaut
    Location:
    You can't have my bots. Sorry :'(
    The only thing I can think of to detect a MITM is checking latency times. You could set the timeout on Apache to something ridiculously low if you're concerned with data being manipulated. I'd like to read what others have to say on the subject, though.
     
  4. SonicSam

    SonicSam Registered Member

    Joined:
    Aug 21, 2012
    Messages:
    57
    Likes Received:
    5
    Location:
    X
    Depending on which type of proxy the user is using, it could be sending headers like X-Forwarded-For http://en.wikipedia.org/wiki/X-Forwarded-For

    That you could then work with...however beyond that I can't think of a way to detect a proxy without the proxy announcing it is a proxy.
     
  5. necro

    necro Regular Member

    Joined:
    Dec 23, 2010
    Messages:
    292
    Likes Received:
    189
    ^This

    Also keep in mind that javascript is run client side.

    Now if you check the ip with javascript and take the ip serverside with the javascript ip you should get the same ip, else they are proxieng.
     
  6. cgimaster

    cgimaster Power Member

    Joined:
    Jun 30, 2012
    Messages:
    525
    Likes Received:
    311
    Gender:
    Male
    you can't get the client ip from client side using javascript ;P so that would not work, best he could do is callback a script but if the browser or whatever he is using to render the page is using a proxy that won't work.
     
  7. necro

    necro Regular Member

    Joined:
    Dec 23, 2010
    Messages:
    292
    Likes Received:
    189
    I didnt test that right now, but you might want to take something like that, also consider javascript goes over your sock.

    Most Proxies are HTTP-Proxyies

    No it doesnt work like that, it doesnt function with JavaScript, but PHP offers that



    $_SERVER['HTTP_X_FORWARDED_FOR']
     
    Last edited: Oct 11, 2012
  8. cgimaster

    cgimaster Power Member

    Joined:
    Jun 30, 2012
    Messages:
    525
    Likes Received:
    311
    Gender:
    Male
    That is what I meant by using a callback :), basically the callback is javascript > php > javascript, however if the browser or whatever being used to render the data is also behind the proxy it wont work unless the proxy is visible as mentioned previously, otherwise it will not appear on "HTTP_X_FORWARDED_FOR" either.
     
  9. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,468
    Likes Received:
    10,148
    Usually when one uses Charles and Fiddle, it does it on the local machine. So, no latency trick and no header detection will work there (they don't add any by default as far as I remember).
     
  10. CodingAndStuff

    CodingAndStuff Regular Member

    Joined:
    May 6, 2012
    Messages:
    236
    Likes Received:
    84
    Occupation:
    Swagstronaut
    Location:
    You can't have my bots. Sorry :'(
    Yeah, that's what I was thinking after I made my initial post. The people who were suggesting he use a Javascript callback were probably as right as you can be for a question of this nature. That's assuming Burp Suite/Charles/Fiddler don't have a Javascript engine (to be honest I rarely use Charles/Fiddler, so I'm not sure). As with all web languages, you've got limitations, though, like if someone isn't running Javascript on their browser, or their phone doesn't have it. Yay for nothing being easy!
     
  11. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,468
    Likes Received:
    10,148
    The javascript call will pass through the proxy anyway. They don't need to implement any js engine, they work one level below.

    Browser -> js code execution -> XHR call -> browser 's proxy -> server.
     
    • Thanks Thanks x 1
  12. CodingAndStuff

    CodingAndStuff Regular Member

    Joined:
    May 6, 2012
    Messages:
    236
    Likes Received:
    84
    Occupation:
    Swagstronaut
    Location:
    You can't have my bots. Sorry :'(
    Oh god. I clearly wasn't thinking when I wrote that earlier (I had just woken up) lmao. Yeah, you're right.
     
  13. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,063
    Likes Received:
    2,872
    Gender:
    Male
    Just like what he said. X-Forwarded-For is the thing you need to look at. If that proxy doesn't send it, you simply can't detect it ( elite proxies are examples of undetectable ones). Google it for more info..