Poking A Hole In Whitelist For Bypassing Firewalls - WhitePaper

During an investigation I conducted for a client in order to identify the root-cause of revenue leakage I analyzed several tools such as Psiphon, Latern etc that were able to bypass their captive portals. While doing the root cause analysis, I came across a great multi-purpose technique which can be used to bypass internet censorship, Captive Portals, DPI's Firewalls etc named "Domain Fronting".

Acknowledgements

I would like to thank the Acunetix Team for helping with proof-reading of the document.

Abstract 

Domain Fronting is a widely popular technique that has been used for evading Firewalls, DPI’s and censors. Domain Fronting takes advantage of legitimate high reputation cloud providers, more specifically, Content Delivery Networks (CDN), for evasion. This technique has been commonly used in the wild to circumvent censorship or by malware for establishing a Command and Control C2 channel in restricted network environments.

In this Paper, we look at various forms of Domain Fronting along with few other techniques that can be utilized for circumventing firewalls, Deep Packet Inspection devices and captive portals. We will be dissecting a well-known for bypassing internet censorship bypass known as PSIPHON and will demonstrate how it utilizes Domain Fronting for bypassing Captive Portals.

We will also be exploring how poorly configured whitelists can be abused to circumvent captive portals, Firewalls and Deep Packet Inspection (DPI’s) devices. Finally, we will also be releasing a script that can help Vendors audit their whitelists for finding various issues such as Domain Fronting and poorly configured regular expressions.