How to use proxies in the best possible way?

Posted on 2011-05-10
Last Modified: 2013-11-19
I am working on a project that involves a forum. I am not the technical guy (and not so sure about the tech stuff that goes on). I am more like the manager in this.

1. I want to know how to test the forum from the user point on view. This test will have to simulate users from different locations. I want to know how to use proxies to achieve this.

2. I have heard that certain users use proxies to create multiple accounts on the forum. How do they do this? How to deal this with issue in the best way possible without alienating an entire country of users (which was one of the solutions suggested to me).

3. How would some of the more savvy users get around the measures that we take to solve this issue?
Question by:smuralisankar
    LVL 19

    Expert Comment

    1. I assume you mean security testing, not e.g. load testing or functionality testing? If yes, the OWASP Testing Guide is what you should look into, and implement all tests relevant to your application. At the bare minimum I suggest creating test cases for the most common mistakes/vulnerabilities affecting web applications, either the OWASP Top 10 or the SANS/CWE Top 25.

    2. There are different techniques for your application to detect the users, this can be done for example based on IP addresses, email addresses or cookies. Proxies can be used if the detection is done using IP addresses. All of the common identity checks can easily be circumvented, unless you want e.g. all your users go to a local police station and get their accounts based on their drivers license. That was a joke. ;) A typical way is to use account cookies, where a file is stored with the user's login ID on the user's computer when the account is created, and the if a cookie is present, creating a new account is not allowed.

    3.  Of course, the user can easily just delete the cookie or use multiple user profiles on his/her computer, or use different browsers or even different computers, it just isn't possible to control all these situations. A cookie is still probably your best bet and will prevent some extra accounts from being created.

    Some information on how multiple accounts are handled in another forum software, vBulletin:

    Author Comment

    Thanks for your answer. The testing guide you pointed me towards seems more elaborate than what I am looking for.

    I am just trying to simulate users trying to use proxies to make multiple accounts and techniques they may use in avoiding detection or getting caught.

    what is the best way to do this?
    LVL 19

    Accepted Solution

    Simulating a user behind a proxy is probably not very useful, the proxy just redirects the user's session so that to your website it seems to be coming from the proxy server's IP address rather than the user's own machine. Sometimes this can be detected by the HTTP headers, where the HTTP_X_FORWARDED, HTTP_VIA or HTTP_PROXY_CONNECTION fields may contain this information, but only if the proxy server used is configured to include these fields, so this method is not reliable. So-called transparent (layer 1 or 2) proxies do not include these fields, and a malicious user can of course use any proxy of their choosing which masks this information. If you insist on wanting to simulate this, for example install Firefox and Foxyproxy ( on a test machine, select a bunch of free open proxies ( and try creating several accounts using different proxies.

    As with the vBulletin plugin I linked to, I would use a combination of an account cookie and IP address checks to verify if the user already has an account, and ignore the proxy issue altogether. An additional check could be the email addresses used for registration, making sure a single email address is not associated with several accounts. While far from perfect, the combination of the cookie, unique IP and a unique email is probably your best bet.

    You also have to keep in mind that many ISPs use transparent proxies or routing techniques where the local IP address of the connecting user is either masked or can even change during a session, making IP address based session management useless.
    LVL 60

    Expert Comment

    This is one good site consolidating all the web test service and tools.

    Site Check - Type in one URL and automatically run HTML and stylesheet validators, accessibility assessment, link check, load time check, and more. Organizes access to a collection of free online web test tools. Site of Meiert. Also lists a wide variety of free online web analysis/development/test tools.

    NIST Web Metrics Testbed - Web usability testing and evaluation tool suite from U.S. Govt. NIST. Source code available. For UNIX, Windows.

    You can check out "Web Site Security Test Tools"

    WebSecurify - Open source integrated web security testing environment from GNUCITIZEN Information Security Think Tank, for identifying web vulnerabilities by using advanced browser automation, discovery and fuzzing technologies.

    ZeroDayScan - Free web site security scanning service; capabilities include cross site scripting attacks (XSS), detects hidden firectories and backup files, looks for known security vulnerabilities, searches for SQL Injection vulnerabilities, generates free reports, more.
    LVL 60

    Assisted Solution

    Using of proxy is actually legitimate as long as the intent is not to the extent of abusing it to commit criminal acts. Of course, we know about privacy concerns but it is debatable so I leave it out. We also know that with proxy, having real identity is not that straight forward if you will want all user to be authenticated so as to authorised user with delegated resource privilege for their access. The link below also highlight that proxy may removed those details but not all does that and even user may be traced back - so not totally anonymous (but going for TOR like user can be challenging too)

    Moving forward in the defensive mindset, there would be policy to enforce like needing enterprise specific credential login despite the (any) user connecting to the initial forum page from any part of the internet fro sensitive discussion board etc, also user should not be connected via open blacklisted proxy rather then authorised whitelist of proxy, etc. Just a link for interest

    The network security device such as Firewall or VPN proxy will do checks before allowing access. There are online hosted service to handle the security aspect on "checking" (first) the connecting requestor end on your behalf so that you can focus on the business aspects. You can still maintain another network defenses in your DMZ if hosting the web servers etc
    LVL 142

    Expert Comment

    by:Guy Hengel [angelIII / a3]
    This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
    This video teaches users how to migrate an existing Wordpress website to a new domain.

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now