KagisoSec_
Service bank
SERVICE 3128/tcp 8080/tcp

Squid Proxy

aka proxy

Caching HTTP proxy, usually on 3128. A misconfigured (open) proxy lets you reach internal-only hosts and ports through it — turning the proxy into a pivot and an internal port scanner.

service proxy pivoting ssrf

Ports

PortProtoNotes
3128tcpSquid HTTP proxy
8080tcpalt proxy port

Fingerprint

  • Via / X-Cache headers naming 'squid'
  • nmap http-open-proxy confirms it relays

Key files

PathHoldsSensitive
/etc/squid/squid.conf ACLs, internal hostnames, auth config

Exploitation primitives

  • Open proxy → request internal hosts/ports the proxy can reach (pivot)
  • Scan the internal network through it (spose / proxychains)
  • Reach admin panels bound to localhost on the proxy host itself

Overview

Squid on 3128 caches and forwards HTTP. If its ACLs are loose, you can route requests through it to internal resources you can’t reach directly — effectively an SSRF/pivot.

Enumeration

Confirm it relays:

nmap -p3128 --script http-open-proxy <TARGET>

Reach an internal host through it:

curl -x http://<TARGET>:3128 http://192.168.0.1/

Hit a service bound to localhost on the proxy box:

curl -x http://<TARGET>:3128 http://127.0.0.1:8080/

Scan the internal network through the proxy

python3 spose.py --proxy http://<TARGET>:3128 --target 192.168.0.1

Or chain tools via proxychains (add http 127.0.0.1 3128 after a local forward).

Hardening

Restrict http_access ACLs to intended clients/destinations, deny CONNECT to non-TLS ports, and require proxy auth.

References