47

I just wonder how some website like WhatIsMyIP find out what your real IP address is, even if you use proxy server. It said :

Proxy Detected

and then they give your real IP address.

Is it possible they use JavaScript to send HTTP request for not using web browser proxy settings(How could it be implemented by Java) or there is some magic technique?

TildalWave
  • 10,801
  • 11
  • 46
  • 85
  • 15
    `X-Forwarded-For` header – Rob W May 24 '13 at 07:32
  • 6
    For more fun, set your `X-Forwarded-For` header to `'"\--` and watch how many websites break down. Youtube broke, but they fixed it the same evening when I mailed them (not that they told me this). Even a website about SSL certificates outputted the MySQL error, practically instructing me how to perform the SQL-injection. Many other websites told me _"Your IP address (`'"\--`) will be logged when you register."_ Whatismyip.com doesn't actually detect a proxy, even with the x-forwarded-for header set. It might be a combination of things. – Luc May 25 '13 at 11:36
  • I believe WebRTC connections can also leak your real IP. – Ajedi32 Oct 30 '17 at 18:39

3 Answers3

52

There are several ways:

  • Proxy headers, such as X-Forwarded-For and X-Client-IP, can be added by non-transparent proxies.
  • Active proxy checking can be used - the target server attempts to connect to the client IP on common proxy ports (e.g. 8080) and flags it as a proxy if it finds such a service running.
  • Servers can check if the request is coming from an IP that is a known proxy. WhatsMyIP probably has a big list of these, including common ones like HideMyAss.
  • Web client software (e.g. Java applets or Flash apps) might be able to read browser settings, or directly connect to a web service on the target system (bypassing the proxy) to verify that the IPs match.
  • Mobile app software can identify the client IP. Example: PhoneGap plugin
Tony O'Hagan
  • 113
  • 5
Polynomial
  • 133,763
  • 43
  • 302
  • 380
15

Beyond what Polynomial said, another common practice is to have the browser view the site with and without HTTPS, and see if the connections come from the same IP.

Many transparent (e.g. caching) proxies will allow SSL traffic to pass by without proxying, since proxying an SSL connection requires spoofing certificates, and this causes a whole bucket of other problems.

In this case, the SSL address is the "real" one, and the non-SSL address is the address of the proxy.

tylerl
  • 82,665
  • 26
  • 149
  • 230
  • There's no reason that the proxy won't NAT the SSL connection though. Even if you can confirm the proxy hasn't MITM'd the connection you still won't know if there's a proxy based on IP or not. Might work in practice though (i.e. maybe what you've described is how real world implementations work). – CrazyCasta Aug 20 '18 at 00:04
3

It may be possible for web-servers/websites to find the real IP while behind a proxy. Generally HTTP proxy servers, upon receiving a request from a client/user, append a new field (X-Forwarded-For) in the HTTP header and subsequently forward the request to the web-server. This X-Forwarded-For field has the client's IP address. Hence, by analyzing this field, a website can figure out the real IP address.

However, the proxy servers provide different levels of anonymity. If a highly anonymous proxy is used (also known as elite proxy), then it might not be possible for the website to find the real IP address, as these elite proxies don't usually include such headers. Another option is using Ultrasurf if you want to hide real IP address.

Check this post for details on x-forwarded-for header and a simple demo python script that shows how a web-server can detect the use of a proxy server: X-Forwarded-For

Matthew
  • 27,263
  • 7
  • 89
  • 101
Guest
  • 51
  • 2