Pentesting Squid

Squid is an HTTP proxy commonly exposed on TCP 3128. If it allows unauthenticated proxying to internal services, use it to discover web apps that are not directly reachable.

Discovery

nmap -sC -sV TARGET -p 3128
# 3128/tcp open  http-proxy    Squid http proxy 4.14
# http-title: ERROR: The requested URL could not be retrieved
# http-server-header: squid/4.14

Direct browsing to the proxy port may return a Squid error page:

Generated ... by SQUID (squid/4.14)

Proxy Internal HTTP Requests

Use curl --proxy to test whether Squid can reach internal web ports:

curl -I --proxy http://TARGET:3128 http://TARGET:8080
# HTTP/1.1 200 OK
# Server: Apache/2.4.46 (Win64) PHP/7.3.21
# X-Powered-By: PHP/7.3.21
# Via: 1.1 SQUID (squid/4.14)

If a proxied port returns 200 OK, configure the browser to use the Squid host and port as an HTTP proxy, then browse to the internal web app normally:

HTTP proxy: TARGET
Port: 3128
URL: http://TARGET:8080/

PreviousPentesting Redis NextBanner Grabbing

Last updated 21 days ago