TL;DR
Most web proxies can differentiate between JScript and Javascript files based on content inspection, MIME types, or file extensions. However, relying solely on these methods isn’t foolproof due to potential misconfigurations or deliberate obfuscation.
How Web Proxies Identify File Types
- File Extension: The simplest method. A proxy can check if the URL ends in
.js,.jscript, etc. This is easily bypassed by renaming files.- Example: If a file is served with a
Content-Typeoftext/javascriptbut has a.htmlextension, some proxies might misclassify it.
- Example: If a file is served with a
- MIME Type: The server sends a header indicating the file type (e.g.,
Content-Type: application/javascript). Proxies often use this.- You can inspect MIME types using browser developer tools or command-line tools like
curl -I.
- You can inspect MIME types using browser developer tools or command-line tools like
- Content Inspection (Deep Packet Inspection): More sophisticated proxies analyze the file’s content to identify Javascript code.
- This is more reliable but resource intensive and can be bypassed by obfuscation techniques.
Steps to Check Proxy Differentiation
- Test with Different Extensions: Serve the same Javascript code using different file extensions (e.g.,
.js,.jscript,.txt).- Observe how the proxy handles each request. Does it block or allow them differently?
- Inspect HTTP Headers: Use a tool like Wireshark or browser developer tools to examine the HTTP headers sent by the server and received by the proxy.
- Look for discrepancies between the file extension and
Content-Type.
- Look for discrepancies between the file extension and
- Obfuscate Javascript Code: Use a Javascript obfuscator (e.g., UglifyJS, Terser) to make the code harder to read.
- See if the proxy still correctly identifies it as Javascript after obfuscation.
uglifyjs mycode.js -o minified.js
- See if the proxy still correctly identifies it as Javascript after obfuscation.
- Content-Type Spoofing: Configure your web server to serve Javascript files with an incorrect
Content-Type(e.g.,text/plain).- Check if the proxy relies solely on the
Content-Typeheader and ignores content inspection.
- Check if the proxy relies solely on the
Common Proxy Behaviors
- Blocking by Extension: Some proxies block specific extensions (e.g.,
.js) as a security measure. - Content-Based Filtering: More advanced proxies use regular expressions or machine learning to identify malicious Javascript code.
- MIME Type Validation: Proxies may reject files with invalid or unexpected MIME types.
Limitations
- Obfuscation: Skilled attackers can obfuscate Javascript code to bypass content-based filtering.
- Dynamic Content: Proxies may struggle to identify Javascript code generated dynamically on the server side.
- Proxy Configuration: Incorrect proxy configurations can lead to false positives or negatives.