• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 337
  • Last Modified:

How to use proxies in the best possible way?

I am working on a project that involves a forum. I am not the technical guy (and not so sure about the tech stuff that goes on). I am more like the manager in this.

1. I want to know how to test the forum from the user point on view. This test will have to simulate users from different locations. I want to know how to use proxies to achieve this.

2. I have heard that certain users use proxies to create multiple accounts on the forum. How do they do this? How to deal this with issue in the best way possible without alienating an entire country of users (which was one of the solutions suggested to me).

3. How would some of the more savvy users get around the measures that we take to solve this issue?
2 Solutions
1. I assume you mean security testing, not e.g. load testing or functionality testing? If yes, the OWASP Testing Guide is what you should look into, and implement all tests relevant to your application. At the bare minimum I suggest creating test cases for the most common mistakes/vulnerabilities affecting web applications, either the OWASP Top 10 or the SANS/CWE Top 25.


2. There are different techniques for your application to detect the users, this can be done for example based on IP addresses, email addresses or cookies. Proxies can be used if the detection is done using IP addresses. All of the common identity checks can easily be circumvented, unless you want e.g. all your users go to a local police station and get their accounts based on their drivers license. That was a joke. ;) A typical way is to use account cookies, where a file is stored with the user's login ID on the user's computer when the account is created, and the if a cookie is present, creating a new account is not allowed.

3.  Of course, the user can easily just delete the cookie or use multiple user profiles on his/her computer, or use different browsers or even different computers, it just isn't possible to control all these situations. A cookie is still probably your best bet and will prevent some extra accounts from being created.

Some information on how multiple accounts are handled in another forum software, vBulletin: http://www.vbulletin.org/forum/showthread.php?t=199077
smuralisankarAuthor Commented:
Thanks for your answer. The testing guide you pointed me towards seems more elaborate than what I am looking for.

I am just trying to simulate users trying to use proxies to make multiple accounts and techniques they may use in avoiding detection or getting caught.

what is the best way to do this?
Simulating a user behind a proxy is probably not very useful, the proxy just redirects the user's session so that to your website it seems to be coming from the proxy server's IP address rather than the user's own machine. Sometimes this can be detected by the HTTP headers, where the HTTP_X_FORWARDED, HTTP_VIA or HTTP_PROXY_CONNECTION fields may contain this information, but only if the proxy server used is configured to include these fields, so this method is not reliable. So-called transparent (layer 1 or 2) proxies do not include these fields, and a malicious user can of course use any proxy of their choosing which masks this information. If you insist on wanting to simulate this, for example install Firefox and Foxyproxy (http://getfoxyproxy.org/) on a test machine, select a bunch of free open proxies (http://www.xroxy.com/proxylist.htm) and try creating several accounts using different proxies.

As with the vBulletin plugin I linked to, I would use a combination of an account cookie and IP address checks to verify if the user already has an account, and ignore the proxy issue altogether. An additional check could be the email addresses used for registration, making sure a single email address is not associated with several accounts. While far from perfect, the combination of the cookie, unique IP and a unique email is probably your best bet.

You also have to keep in mind that many ISPs use transparent proxies or routing techniques where the local IP address of the connecting user is either masked or can even change during a session, making IP address based session management useless.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

btanExec ConsultantCommented:
This is one good site consolidating all the web test service and tools.


Site Check - Type in one URL and automatically run HTML and stylesheet validators, accessibility assessment, link check, load time check, and more. Organizes access to a collection of free online web test tools. Site of UITest.com/Jens Meiert. Also lists a wide variety of free online web analysis/development/test tools.

NIST Web Metrics Testbed - Web usability testing and evaluation tool suite from U.S. Govt. NIST. Source code available. For UNIX, Windows.

You can check out "Web Site Security Test Tools"

WebSecurify - Open source integrated web security testing environment from GNUCITIZEN Information Security Think Tank, for identifying web vulnerabilities by using advanced browser automation, discovery and fuzzing technologies.

ZeroDayScan - Free web site security scanning service; capabilities include cross site scripting attacks (XSS), detects hidden firectories and backup files, looks for known security vulnerabilities, searches for SQL Injection vulnerabilities, generates free reports, more.
btanExec ConsultantCommented:
Using of proxy is actually legitimate as long as the intent is not to the extent of abusing it to commit criminal acts. Of course, we know about privacy concerns but it is debatable so I leave it out. We also know that with proxy, having real identity is not that straight forward if you will want all user to be authenticated so as to authorised user with delegated resource privilege for their access. The link below also highlight that proxy may removed those details but not all does that and even user may be traced back - so not totally anonymous (but going for TOR like user can be challenging too)


Moving forward in the defensive mindset, there would be policy to enforce like needing enterprise specific credential login despite the (any) user connecting to the initial forum page from any part of the internet fro sensitive discussion board etc, also user should not be connected via open blacklisted proxy rather then authorised whitelist of proxy, etc. Just a link for interest


The network security device such as Firewall or VPN proxy will do checks before allowing access. There are online hosted service to handle the security aspect on "checking" (first) the connecting requestor end on your behalf so that you can focus on the business aspects. You can still maintain another network defenses in your DMZ if hosting the web servers etc

Guy Hengel [angelIII / a3]Billing EngineerCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now