Re: [PATCH] Added matching of body content to http-open-proxy for better detection

[ithilgore <ithilgore.ryu.l () gmail com>]

Brandon Enright wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hey all, attached is a patch to Arturo's excellent http-open-proxy.nse
> script to hopefully improve detection of open proxies that strip some
> headers.
>
> Currently the script sends a request to www.google.com through a
> suspected HTTP proxy and checks to see if it gets Google's signature
> "Server: gws" header back.
>
> Unfortunately we have several open Squid Proxies on campus that strip
> this header causing a false negative. The attached patch allows the
> script to match Google's "I'm Feeling Lucky" button if the "Server:
> gws" header isn't there.
>
> I know this is a English-specific addition but I wasn't sure what else
> could be matched on.  I suppose we could look at the "Set-Cookie:"
> header for something that looks Googlish.
>
> I'd appreciate comments and ideas on how to better detect open HTTP
> proxies.
>
> Brandon


As far as Google is concerned, the "I am Feeling Lucky" button is indeed 
a bit 'nation-unportable'. For example, whenever I hit www.google.com in 
my browser, I get immediately transferred to www.google.gr which has 
the corresponding translation of the "I am Feeling Lucky" button. What I have
noticed is that the http links inside the body of the page, are stable
as far as the part before the domain suffix is concerned. We have 
images.google.com for english, and images.google.de for german, for example.
In this case images.google is always the same. It also happens with the rest
of the links: maps.google, news.google etc. 

--
ithilgore



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org