🤖 HackTricks / 3128 - Pentesting Squid

3128/tcp - Pentesting Squid

Basic Information

From Wikipedia:

Squid is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web server by caching repeated requests, caching web, DNS and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic. Although primarily used for HTTP and FTP, Squid includes limited support for several other protocols including Internet Gopher, SSL, TLS and HTTPS. Squid does not support the SOCKS protocol, unlike Privoxy, with which Squid can be used in order to provide SOCKS support.

Default port: 3128

PORT     STATE  SERVICE      VERSION
3128/tcp open   http-proxy   Squid http proxy 4.11

Enumeration

Web Proxy

You can try to set this discovered service as proxy in your browser. However, if it's configured with HTTP authentication you will be prompted for usernames and password.

# Try to proxify curl
curl --proxy http://<TARGET>:3128 http://<TARGET>

Open-proxy / egress validation

First verify whether it is really behaving as a forward proxy and whether outbound Internet access is allowed.

# Fast open-proxy detection
nmap -Pn -sV -p 3128 --script http-open-proxy <IP>

# Confirm egress and learn the public IP used by the proxy
curl -x http://<IP>:3128 https://ifconfig.me -I

# If authentication is required, curl will usually show 407 Proxy Authentication Required
curl -x http://<IP>:3128 http://example.com -v
curl -x http://user:pass@<IP>:3128 http://example.com -v

If the proxy is reachable but Internet egress is blocked, it may still be useful as an internal pivot.

Nmap proxified

You can also try to abuse the proxy to scan internal ports proxifying nmap.\ Configure proxychains to use the Squid proxy by adding the following line at the end of the proxychains.conf file: http 10.10.10.10 3128 For proxies requiring authentication, append credentials to the configuration by including the username and password at the end: http 10.10.10.10 3128 username passw0rd.

Then run nmap with proxychains to scan the host from local: proxychains nmap -sT -n -p- localhost

SPOSE Scanner

Alternatively, the Squid Pivoting Open Port Scanner (spose.py) can be used.

python spose.py --proxy http://<TARGET>:3128 --target <TARGET>

Cache Manager enumeration

Misconfigured Squid deployments sometimes expose the Cache Manager, which can leak version info, counters, ACL hints, peer configuration, and sometimes the full running configuration.

On modern Squid versions this is usually exposed below /squid-internal-mgr/:

# Enumerate available manager actions
curl http://<IP>:3128/squid-internal-mgr/menu

# Common high-value pages
curl http://<IP>:3128/squid-internal-mgr/info
curl http://<IP>:3128/squid-internal-mgr/counters
curl http://<IP>:3128/squid-internal-mgr/active_requests

# If cachemgr_passwd is configured and HTTP Basic auth is accepted
curl -u any:PASSWORD http://<IP>:3128/squid-internal-mgr/config

Older installations may also expose the historical cache_object:// scheme through squidclient/curl. If manager ACLs are weak, treat this like a sensitive administrative surface.

ACL bypass / internal reachability tests

A common win is finding that http_access, Safe_ports, SSL_ports, to_localhost, or manager ACLs were relaxed too much. Test both plain HTTP proxying and CONNECT tunneling.

# Direct HTTP requests to RFC1918 / loopback targets through the proxy
curl -x http://<IP>:3128 http://127.0.0.1:8080/ -v
curl -x http://<IP>:3128 http://[::1]:8080/ -v
curl -x http://<IP>:3128 http://<TARGET>/latest/meta-data/ -v
curl -x http://<IP>:3128 http://<TARGET>:8000/ -v

# Force a CONNECT tunnel to a normally unreachable service
openssl s_client -proxy <IP>:3128 -connect 127.0.0.1:443 -quiet
openssl s_client -proxy <IP>:3128 -connect 10.10.10.20:8443 -quiet

This is especially useful when Squid is installed on a bastion, printer server, CI runner, or appliance that can reach sensitive loopback-only services.

Pivot & tooling configuration

Use Squid as a discovery pivot and a transparent upstream hop for CLI and browser tools.

  • Scan “from” the proxy: run SPOSE through Squid to enumerate ports reachable from the proxy host/loopback. With uv you can install deps and scan all TCP ports directly:
uv add --script spose.py -r requirements.txt
uv run spose.py --proxy http://SQUID_IP:3128 --target localhost --allports
  • Proxychains for HTTP interaction: append a strict HTTP entry at the bottom of /etc/proxychains.conf:
[ProxyList]
http    SQUID_IP   3128

Then interact with internal listeners (e.g., a web UI bound to 127.0.0.1) transparently through Squid:

proxychains curl http://127.0.0.1:9191 -v
  • Chaining Burp/Browser → Squid: configure Burp Proxy → Settings → Network → Connections → Upstream proxy servers to point to http://SQUID_IP:3128. Requests to internal hosts such as http://127.0.0.1:9191 will traverse Browser → Burp → Squid → target, enabling full interception of services otherwise not reachable externally.

For more generic tunnel and pivot techniques, see Tunneling and Port Forwarding.

Notes for proxy security reviews

If you are auditing Squid itself (not just using it as a pivot), include these checks in scope:

  • Open proxy exposure: confirm whether unauthenticated users can relay traffic externally or into internal address space.
  • Manager exposure: /squid-internal-mgr/menu and related pages often disclose enough information to accelerate lateral movement.
  • CONNECT restrictions: weak SSL_ports / Safe_ports handling can turn Squid into a generic TCP tunnel to arbitrary ports.
  • Parser/cache poisoning tests on outdated builds: recent advisories and public research show that request smuggling, lenient chunked decoding, and cache-poisoning style bugs have affected Squid repeatedly. If you are testing an older or vendor-patched appliance, add controlled TE/CL desync and cache-variant poisoning checks to the test plan.

References