How can a website find my real IP address while I'm behind a proxy?

  • I just wonder how some website like WhatIsMyIP find out what your real IP address is, even if you use proxy server. It said :

    Proxy Detected

    and then they give your real IP address.

    Is it possible they use JavaScript to send HTTP request for not using web browser proxy settings(How could it be implemented by Java) or there is some magic technique?

    `X-Forwarded-For` header

    For more fun, set your `X-Forwarded-For` header to `'"\--` and watch how many websites break down. Youtube broke, but they fixed it the same evening when I mailed them (not that they told me this). Even a website about SSL certificates outputted the MySQL error, practically instructing me how to perform the SQL-injection. Many other websites told me _"Your IP address (`'"\--`) will be logged when you register."_ doesn't actually detect a proxy, even with the x-forwarded-for header set. It might be a combination of things.

    I believe WebRTC connections can also leak your real IP.

  • Polynomial

    Polynomial Correct answer

    8 years ago

    There are several ways:

    • Proxy headers, such as X-Forwarded-For and X-Client-IP, can be added by non-transparent proxies.
    • Active proxy checking can be used - the target server attempts to connect to the client IP on common proxy ports (e.g. 8080) and flags it as a proxy if it finds such a service running.
    • Servers can check if the request is coming from an IP that is a known proxy. WhatsMyIP probably has a big list of these, including common ones like HideMyAss.
    • Web client software (e.g. Java applets or Flash apps) might be able to read browser settings, or directly connect to a web service on the target system (bypassing the proxy) to verify that the IPs match.
    • Mobile app software can identify the client IP. Example: PhoneGap plugin

    First time I hear of #2, very interesting.

    Regarding #4, is there any browser-based way to prevent a javascript from bypassing proxy settings? Or is the only option enabling firewall?

    @jiggunjer **Javascript** won't bypass the proxy. Java applets can choose to. Java and Javascript are not the same thing.

    so it's a good thing Chrome no longer supports NPAPI

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM