If you see any requests in your web logs, IDS, and WAF that have full urls in the HTTP GET request, you may wonder, what on earth is that?
GET http://testp4.pospr.waw.pl/testproxy.php
Typically you're probably used to see GET requests that look like this GET /default.php where the GET request takes a single page, not an entire url. But in the example highlighted above, you see an entire url. Why you may ask? This is just an attacker probing the internet looking for open proxies, or basically looking for a server that will make a web request on behalf of them. Thus an attacker could spam or perform a denial of service or many other malicious activities, but the requests would be proxied through or passed through another device so that the victim doesn't know who it's coming from. In this above example, the attacker will get a response back from your server. If the response is something like a 404 (page not found) or 503 (internal server error) then the attacker ignores and moves on, but if in the response the attacker actually got your server to return the contents of the embedded '.pl' top domain url then he's found an open proxy and can start funnelling is evil requests through it.
As long as you're hosting a normal legit website and don't have open proxy features or software enabled on your server then these requests are harmless to you.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment