A curated list of awesome things related to proxy piercing.
Proxy piercing refers to the set of techniques used to detect, identify, or bypass proxy servers that sit between a client and a destination server. It is commonly applied in fraud prevention, network security, and access control to determine whether a request originates directly from a user or is being relayed through an intermediary.
Techniques that can be used to pierce proxies.
- Latency Tests: Measure response times and packet hops; unusual delays or routes may suggest proxy rerouting.
- HTTP Headers: Inspect headers like
X-Forwarded-FororViafor original IP leaks from misconfigured proxies. - User-Agent Anomalies: Detect unusual or proxy-specific alterations in User-Agent strings within HTTP requests.
- Request Fingerprinting: Analyze HTTP request elements like headers and protocols for patterns matching known proxy services.
- Examples: hfinger
- Device Fingerprinting: Collect browser and device data; inconsistencies in time zones or configurations indicate proxy use.
- Examples: fingerprintjs
- TLS Fingerprinting: Analyze TLS handshake attributes (e.g., JA3/JA4 hashes); proxies that terminate and re-initiate TLS produce fingerprints distinct from standard browsers.
- Examples: ja3, ja4, fingerproxy
- HTTP Header Order Analysis: Compare the ordering of HTTP headers against known browser profiles; proxies often reorder, insert, or strip headers in detectable ways.
- Examples: fingerproxy
- HTTP Protocol Downgrade Detection: Check for unexpected protocol versions such as HTTP/1.1 when HTTP/2 or HTTP/3 was negotiated; proxies may downgrade the connection during relay.
- Proxy-Specific Headers: Look for headers like
Proxy-Connection,Proxy-Authorization,Forwarded, orX-Proxy-Idthat are exclusively introduced by proxy software. - Cache Header Artifacts: Detect proxy-injected caching headers such as
Age,X-Cache,X-Cache-Lookup, or alteredCache-Controldirectives that caching proxies commonly add. - Connection Behavior Analysis: Monitor
ConnectionandKeep-Aliveheader semantics; proxies often modify hop-by-hop headers or exhibit different connection reuse and timeout patterns. - Content-Encoding Mismatch: Compare the
Accept-Encodingrequest value against the actualContent-Encodingin the response; proxies may decompress and recompress content, altering the negotiated encoding. - TCP/IP Stack Fingerprinting: Correlate OS-level TCP attributes (TTL, window size, MSS, TCP options) with the claimed
User-Agent; a mismatch suggests an intermediary host is relaying the request.- Examples: p0f, zardaxt, huginn-net
- WebSocket Upgrade Behavior: Observe how the
Upgrade: websockethandshake is handled; many proxies fail to correctly relay or introduce latency and header modifications during the upgrade.