+- The Un-Official Proxomitron Forum (https://www.prxbx.com/forums)
+-- Forum: Proxomitron Filters (/forumdisplay.php?fid=38)
+--- Forum: Filter Help/Request (/forumdisplay.php?fid=31)
+--- Thread: Can't get the GET header filter to work. (/showthread.php?tid=526)
Can't get the GET header filter to work. - Shaman - Jul. 07, 2005 07:30 PM
Hi everyone, it’s taken me a while but I’m finally beginning to understand a bit about Proxomitron. Amazing program. Much of it is still way beyond me but I’m going to learn. For now can anyone help with something I just can’t figure out?
In the default header filter list it gives the GET header as one of the options, so I thought I could use this to filter specific words from outgoing GET headers – eg. my email address. Is this possible? From the help the best I could figure was to place the word in wildcards - *email* - in the Header Value Match box, but it does not work.
In the ‘HTTP Header’ box there is just the three letters of GET with no colon after it, but there is a space. Is this how it should be.
Thanks.
- Oddysey - Jul. 09, 2005 02:38 AM
Paging JakBeNymble.
Will Dr. Nymble please report to the Filter Help forum, where he must perform delicate header surgery?
Paging JakBeNymble!
- z12 - Jul. 09, 2005 06:38 AM
With respect to http, GET is a method, not a header field name that you can edit with proxomitron.
It sounds like what your looking for is proxomitrons special URL: header field name.
HTH
Mike
- Shaman - Jul. 10, 2005 11:08 PM
Hi Oddysey, unfortunately Mike I’m none the wiser. I tried playing around with the “URL: Enable Keyword search (Out)” default header filter, but could not get that to do the job either. As I said a lot of this is way over my head.......Woooosh.......what was that!!??
Thanks
Shaman.
- Oddysey - Jul. 11, 2005 02:19 AM
Shaman;
Seeing as how Jak is taking a snooze break, I'll step up to the plate. Try looking at Scott's header filter URL: Alias Redirector [Out].
Therein, you'll note that he actually uses a list, but in essence, he's really just substituting one text string (URL) for another. That tells me that you should be able to do some examination, and decipher the contents of where the request is headed (the GET statement). After that, the replacement text should be simple, no?
Good luck!
Oddysey
- Shea - Jul. 11, 2005 02:57 AM
If you want the best possible answer, you need Jak. He's the master at header filters. Do you think he might have got confused by the kye-u.com issues? I know the email that Kye-U sent to me (the automated one), got filtered as junk. Maybe Kye-U should send him one himself so it doesn't get filtered.
- Shaman - Jul. 11, 2005 09:45 AM
Thanks everyone, but I’m still confused.
I may be way off the mark here, but it looks like the GET header does not actually contain the URL, but only the part that comes after it. Don’t know what that would be called, for example in this link
http://netspy.ukrpack.net/cgi-bin/proxy/printenv.cgi the URL is http://netspy.ukrpack.net and the GET header is “cgi-bin/proxy/printenv.cgi”
It’s not specific URLs that I want to target. It’s every URL that tries to insert personal details into the GET or POST headers.
A couple of months ago I saw my email address go out in a GET header. It was put there by a program I was trying out. I had blocked it net access during the trial, but it wanted to connect through IE to update some of the display, so I monitored it and allowed it. Bang…. my email address was gone.
Here is that GET header, (with my real email details asterixed out of course)
/pkg/login.php?uid=63592&eid=0008A12B1466&mid=125609959&email=*****%2D*******%40*********%2Ecom&vers=2.01&lang=eng HTTP/1.0
Of course things can be encrypted and so beyond control by simple word filtering. For those occasions I’
like to be able to completely block GET and POST headers that exceed a certain length, so I can examine them and the program responsible before I decide to allow them.Would that be possible with Proxomitron?
- sidki3003 - Jul. 11, 2005 03:49 PM
As Mike mentioned above, there is no such thing like *the* GET header.
What you're trying to achieve is blocking requests that contain "email=" in the URL.
During the request the URL is split into two parts:
"GET" contains the relative URL path (this is *no* header, but the request).
"Host" contains the hostname part (this is a header).
So what you want is a header filter that simply blocks "email=" in the URL match:
Code:
[HTTP headers]
In = FALSE
Out = TRUE
Key = "!-|||||||||||| URL: Block Requests containing "email=" (Out)"
URL = "*email\="
Replace = "Killed\k"HTH,
sidki
email... - ProxRocks - Jul. 11, 2005 04:28 PM
Um, how often is an "email=" passed in that manner?
- sidki3003 - Jul. 11, 2005 05:12 PM
Rarely, but that's one of Proxomitron's beauties, right?
Everyone can filter whatever suits his/her needs. However, prerequisite is to understand the concept.
sidki
this subject line is dumb... - ProxRocks - Jul. 11, 2005 05:52 PM
sidki3003 Wrote:Everyone can filter whatever suits his/her needs.Amen to that...
sidki
I can certainly vouch for myself in regards to extremely eclectic filtering needs...
- Shaman - Jul. 12, 2005 10:57 AM
Well thanks sidki, that certainly works but I had to play with it a bit. In the end it was just wildcards either side of the word that did it - eg. *MyName* I set up one filter each for my first and last names and one for my IP address.
This just kills the entire URL request, not what I was expecting, but it does the job and will suffice for now until I get to grips with Proxomitron. Thanks for your time. Any idea now how I can kill a URL when the GET or POST headers exceed a certain length?
I’ve been watching and modifying headers for about 5 years now with A4Proxy and I’ve seen all sorts of things inserted in GET and POST headers. I’ve seen some of amazing length and it’s obvious that they are not just requests for web pages or components of those pages. Information is going out and it could literally be anything that you have on your computer. Apps and active content can do this, as well of course as viruses/trojans etc. I keep a well locked down and clean system and the GET and POST headers is the last thing I don’t have full control over.
Shaman