[Full-disclosure] Evading URL Filtering(websense) software configured in Transparent (or Sniffing) mode, without using a remote proxy.
From: Sledge Hammer (sledge.hammer_at_sinhack.net)
To: <firstname.lastname@example.org> Date: Mon, 15 Aug 2005 18:29:55 -0400
The mechanism behind this tool has been known for a while, but we haven't
seen any published tool yet. So here you go.
Evading URL Filtering software configured in Transparent (or Sniffing) mode,
without using a remote proxy.
Last update: August 14 2005.
This tool has been coded in December 2002.
The vendor is Informed:
We don't know about SurfControl, but Websense has been informed in December
2002 when we found this. They also had a copy of this proxy script for over
Any environment not using a proxy (Check Point Firewall-1, Cisco Pix,
URL filtering software who don't reconstruct HTTP packets before allowing
Websense in Sniffing mode
Websense with Check Point FW-1 in UFP (transparent non proxy)
Websense with Cisco Pix
SurfControl in transparent mode (but not personnaly tested)
Maybe others, but this is what we have been able to try.
SurfControl SuperScout can be Bypassed Using Split Packets
Archived : 20/06/2001 by ndesai01 at tampabay.rr.com (I didn't know at the
moment of my research...)
Maybe others, but this is what we have been able to try..
This is a proof of concept. If you do stupid things using this tools, it's
your fault. We are publishing this because we want the sysadmins to be aware
that some of their knowledgable users might be able to evade their
The following perl script is a proof of concept that allow a user to bypass
Websense (and possibly any other similar products) when this one is
installed in UFP mode or in Sniffing mode (ie.: Transparent non proxy).
The concept behind the weakness is simple: Every time a user asks a web
page, the browser generates a request that pass through the Firewall.
Websense (and other products) looks at this request and answers yes or no
depending if the requested url is in the database. In transparent mode,
Websense counts on the fact that the firewall will forward the whole request
at one time. If not, Websense will simply let the packet pass, since this
packet doesn't look like an http request.
If a malicious employee wants to use the Internet without being traced,
Making use of a tool like this will allow him to bypass the filtering and
the authentication. Since this has been known for over 4 years, there are
great chances that they might do it already.
How to test if you are vulnerable without this tool?
use the Windows telnet client to connect to a remote http site. Be careful
to type the request by hand and not simply cut and paste the request because
each character needs to be sent one at a time.
telnet www.google.ca 80
GET / HTTP/1.0[enter][enter]
You should see the page being displayed at the screen. This can be done even
if you are not authenticated on the filtering engine.
If you get a Redirect page, then the filtering software have catched your
request... too bad, it will not work
HOW TO PATCH THE PRODUCT
There is no patch. The behavior is a direct result of how the url filtering
in transparent mode or the integration with a firewall is done. Check Point
Smart Defence could be a good way to detect this and PIX already detect
manual request for SMTP...
IS THERE A WAY AROUND?
Yes: Use Websense in Proxy Mode (with any proxy or with the Security Server
of Check Point). The way around consist of being sure that the whole packet
is analysed at the same time.
IS THERE A WAY TO TRACE USERS BYPASSING WEBSENSE?
Long way: See if all request in the firewall-1 logs match an entry in the
Short way: My proxy is crappy and not all request pass through (I
should correct that). So you might see authentication error for some
* This proxy is not multi-threaded, so you may have a timeout when
you have many pictures to download
* The proxy only handle GET request correctly. POST request might
not be handled correctly. I also should correct that one day. For
the others, I don't know... (hey, it's only a proof of concept!)
* If you try to access a server that is not accessible (bad dns,
server down, etc.). The proxy will die. There is no handling of
connection error cos I'm too lazy to code them.
* The proxy doesn't handle the STOP button. You might need to
restart the proxy after the transfer has been aborted.
DOWNLOAD THE SCRIPT: Sakeru.pl
<http://sinhack.net/URLFilteringEvasion/sakeru.txt> (perl script, tested on
Windows and Linux)
Under Windows: you will need Perl for windows (like ActivePerl from
Under Linux: you should already have everything you need.
Run the script:
perl -x sakeru.pl
Configure your browser to use a proxy on localhost port 5050 Surf the tide!!
Sledge.Hammer at sinhack.net
Sinhack Research Labs
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/