Welcome to the seventh OnionScan Report. The aim of these reports is to provide an accurate and up-to-date analysis of how anonymity networks are being used in the real world.
In this report we will examine how a small change to a regular HTTP request can reveal information, and sometimes deanonymize a large number of hidden services.
Summary
Over a quarter of hidden services hosted on the Tor network are vulnerable to Hostname Hacking (compared to 7% vulnerable to mod_status leaks) - for many this simply reveals co-hosted sites however for a smaller subset, this means deanonymization.
A Note on Numbers
The lifespan of an onion service can range from minutes to years. When providing generalised numbers, especially percentages, we report approximate figures based on multiple scans over a period of time, rather than a single snapshot.
25% of Onions are Vulnerable to Hostname Hacking
We recently talked about Hostname Hacking a technique that exploits misconfigured virtual hosts on a web server to trick a hidden service into reveal some more information about itself.
We have scanned 15,000 onion domains (of which just over 11000 were online consistently enough to be queried).
During these tests we simply replaced the Host: HTTP header with localhost instead of the sites onion domain. We then compared the responses of the normal Host and the hacked Host.
This modification is not enough to fully exploit the site in many cases, but a difference in response tells us that virtual hosts are unlikely to be configured correctly. (It is worth noting that even an error condition can be enough to reveal information - sometimes servers print their real IP address in server error pages, sometimes a common error condition is enough to link servers.)
We found over ~2800 sites that responded differently to regular Host compared to the hacked Host. This indicates that over 25% of hidden services are vulnerable to this technique.
However, ~1400 (~50%) of these are all from the large FreedomHosting II hosting provider. Which defaults to a Double You Bitcoin scam when you request Host:localhost.
When we remove FHII hosted sites from our figures we still find over 12% of online hidden services have this vulnerability.
Unlike Apache mod_status leaks, hostname hacking affects all major web servers including nginx & lighttpd. This means that hostname hacking vulnerabilities are far more pervasive (~12% of all non FHII sites) than mod_status leaks are (~7% of all sites).
One Weird Trick - Multiple Possibilities
We have only talked about hostname hacking as a way to detect co-hosting - however, further analysis has revealed a couple more interesting uses:
- Certain configured servers won't expose /server-status over a regular
Host: abcdefghijklmnop.onionrequest but will expose it over theHost: localhostrequest. - Badly configured services will expose emails, IP addresses and more over error pages caused by the a bad
Hostparameter that they would not in other contexts. - A large number of sites vulnerable to hostname hacking reveal an open directory file listing, or an otherwise personal site, on a
Host: localhostrequest - this indicates that many are co-mingling personal data with anonymous sites, a very bad practice.
Other HTTP Headers
We found it wasn't just then Host parameter - other sites expect the existence of other Tor Browser default HTTP headers and will act differently if they are not available - one of the most stark examples we found was a web hosting provider where all sites would show the same (custom) error if the Accept-Encoding: gzip, deflate header was not sent. This kind of bot detection is not only useless, it actually compromises all the sites that are co-hosted by the provider.
Other OnionScan News
- We released OnionScan 0.2 which contains many new feature & analysis tools.
- Onionscan has a new website where we will be advertising releases, uploading documents & tutorials and listing reports.
Get Involved
If you would like to help please read Sarah's post OnionScan: What's New and What's Next for some great starting off points. You can also email Sarah (see her profile for contact information).
If you would like to support further research and development of tools like OnionScan you can become a patron at Patreon
Goals for the OnionScan Project
- Increase the number of scanned onion services - We have so far only successfully scanned ~6500 (out of ~12,000 domains scanned).
- Increase the number of protocols scanned. OnionScan currently supports light analysis for HTTP(S), SSH, FTP & SMTP and detection for Bitcoin, IRC, XMPP and a few other protocols - we want to grow this list, as well as provide deeper analysis on all protocols.
- Develop a standard for classifying onion services that can be used for crime analysis as well as an expanded analysis of usage from political activism to instant messaging.
