Wednesday, July 17, 2013

ISP access restriction bypass via web cache proxy

today i want to explain a vulnerbility that i discovered in some isp web cache proxy's in iran.
i presented this vulnerability in first sharif university cyber security awareness conference
 ( http://cert.sharif.edu)
by using this vulnerability when isp closes your acount , you can brows web pages again !


what is web cache proxy ?
A web cache is a mechanism for the temporary storage (caching) of web documents, such as HTML pages and images, to reduce bandwidth usage, server load, and perceived lag. A web cache stores copies of documents passing through it; subsequent requests may be satisfied from the cache if certain conditions are met

dns redirect page
When the ISP's DNS server receives a request for a name that is not recognized or is unavailable, the DNS server returns the IP address of a search page to the client. When the client is using a web browser, this will display a search page that contains possible suggestions on the proper address and a small explanation of the error. These search pages often contain advertising that is paid to the ISP.


but how this vulnerability works ?!
 in this case isp restrics our access  to all web servers except one ,  and what is this one ?!!
this server is the same web cache proxy ! we have access to the ip of web cache proxy but any http request can be executed over the ip of web cache proxy !


for example i want to see a web page ( like farsnews.com ) and now i must make an http request over the ip of web cache(dns redirect server ) that i have access to it :


and you can see the web page is loaded successfully !

i tested this vulnerbility in largest private ISP in Iran (parsonline.com) and recorded a demo that you can see here :

the vulnerability is now fixed on pars online but another isp may be affected !