Widespread “/proxy/” URL Scans Targeting Proxy Servers with Embedded IP Addresses
What Happened — Over the past weekend, SANS Internet Storm Center honeypots recorded a surge in scans that probe for open proxy services using the “/proxy/” path combined with raw IP addresses in the URL. Attackers attempt to manipulate the Host header or embed the target hostname to force the proxy to forward the request, a classic technique for abusing mis‑configured forward proxies.
Why It Matters for TPRM —
- Open proxies can be leveraged to hide malicious traffic, exfiltrate data, or launch further attacks against your supply‑chain partners.
- Third‑party services that expose proxy functionality (e.g., CDN edge nodes, cloud‑hosted web apps) may become inadvertent launch pads if not hardened.
- Early detection of scanning trends helps you validate that your vendors enforce proper proxy hardening and logging.
Who Is Affected — Cloud‑hosted SaaS providers, CDN operators, MSPs offering web‑gateway services, and any organization that runs public‑facing web applications.
Recommended Actions —
- Review contracts and security questionnaires for any third‑party that operates forward‑proxy or edge‑proxy services.
- Verify that vendors enforce strict Host‑header validation and block generic “/proxy/” paths.
- Ensure logging of proxy‑related requests and monitor for anomalous patterns.
- Conduct periodic penetration testing focused on proxy mis‑configuration.
Technical Notes — Attackers use crafted HTTP requests with the “Host” header set to an internal IP or domain while requesting “/proxy/”. No specific CVE is cited; the activity is a reconnaissance scan rather than an exploit. Data types at risk include authentication cookies, session tokens, and any data that traverses the proxy. Source: SANS Internet Storm Center – /proxy/ URL scans with IP addresses (Mar 16)