Scanning Internal Assets with a Proxy

You can use Xint to scan web applications that are not exposed to the public internet, such as staging servers or internal applications. This is achieved by routing the scanner’s traffic through a proxy server located within your network.

How It Works

When you configure a proxy for a scan, Xint’s scanner will connect to your proxy for all traffic directed at the target application.

Traffic Flow: Xint Scanner -> Your Proxy Server -> Your Internal Web Application

Only the HTTP/HTTPS traffic from the scanner to the target application is routed through the proxy. Other network connections that Xint might make to its own services (like cloud APIs) are not affected by this setting.

Our scanner operates from our cloud infrastructure, so your proxy server must be accessible from the internet.

Proxy Requirements

• Protocol: HTTP or HTTPS. SOCKS proxies are not supported.
• Authentication: Proxy authentication (e.g., Basic, NTLM) is not currently supported.

Security Warning

Since your proxy will be exposed to the internet, it is critical to restrict access to it. You must configure your firewall or cloud security group to allow inbound connections only from Xint’s designated egress IP addresses.

Please consult your company’s security team before exposing any internal service to the internet. Misconfiguration can lead to serious security vulnerabilities.

A list of our egress IP addresses can be found on our Preparing for Scanning page.

Step-by-Step Guide: Setting up a Squid Proxy

This guide provides an example of how to set up a squid proxy using Docker. squid is a popular and robust open-source proxy server.

Step 1: Prepare the Squid Configuration

Create a file named squid.conf. This file will define the access control rules for your proxy.

#
# Recommended minimum configuration:
#

# Allow access from Xint's IP addresses
# Replace with the actual list of Xint's egress IPs
acl xint_ips src 191.96.204.88/32 191.96.204.73/32

# Allow access to your internal network where the target application resides
# Example: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
acl internal_net_dst dstdomain .your-internal-domain.com
acl internal_net_dst_ip dst 10.0.0.0/8

# Setup access control
http_access allow xint_ips internal_net_dst
http_access allow xint_ips internal_net_dst_ip

# Deny all other access
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# We recommend to disable via header to prevent exposing internal details
via off

# We recommend to disable revealing the proxy host name
forwarded_for delete

In the configuration above:

• acl xint_ips: This defines an access control list (ACL) for the source IPs. You must replace the example IPs with the official list of Xint’s egress IPs.
• acl internal_net_dst and acl internal_net_dst_ip: These ACLs define the allowed destinations. This ensures the proxy can only be used to access your internal assets, not as an open relay to the internet. Adjust these to match your internal network ranges or domains.
• http_access: These rules enforce the ACLs. It allows traffic from xint_ips to internal_net_dst or internal_net_dst_ip and denies everything else.

Step 2: Run Squid using Docker

Once you have the squid.conf file, you can run the squid proxy in a Docker container. Make sure you have Docker installed and running.

Open a terminal in the directory where you saved squid.conf and run the following command:

docker run -d --name squid-proxy \
  -p 3128:3128 \
  -v $(pwd)/squid.conf:/etc/squid/squid.conf \
  ubuntu/squid

This command does the following:

• docker run -d: Runs the container in detached mode.
• --name squid-proxy: Assigns a name to the container.
• -p 3128:3128: Maps port 3128 on your host machine to port 3128 in the container.
• -v $(pwd)/squid.conf:/etc/squid/squid.conf: Mounts your custom configuration file into the container.
• ubuntu/squid: Specifies the Docker image to use.

Your proxy server is now running and listening on port 3128 of the host machine.

Step 3: Expose the Proxy to the Internet

Your squid proxy is running on a machine inside your network. You now need to make it accessible to the Xint scanner over the internet.

The method for this depends on your network architecture:

• Cloud Environments (AWS, GCP, Azure): You can assign a public IP address to the virtual machine running the Docker container and configure its security group to allow inbound traffic on port 3128 only from Xint’s IP addresses.
• On-Premise Networks: You will likely need to configure your corporate firewall to forward a public IP and port to the internal machine running the proxy. This is often called “port forwarding” or creating a “NAT rule”. Please consult your network and security teams for assistance.

After configuration, you should have a public URL for your proxy, such as http://your-proxy-public-ip:3128.

Configuring the Proxy in a Scan

Once your proxy is set up and accessible, you can configure it in your scan settings.

1. Navigate to the Scans page and click Create Scan.
2. Fill in the target details as usual.
3. In the Advanced Options > Proxy URL section, enter the full URL of your proxy server (e.g., http://your-proxy-public-ip:3128).
4. It is highly recommended to use the Discover button to test the connectivity. This will verify that the Xint scanner can reach your target application through the configured proxy.
5. If the discovery is successful, you can proceed to save and start the scan.

The proxy setting is configured on a per-scan basis and will only be used for the scan in which it is defined.

Troubleshooting

• Discovery Fails: If the discovery fails, double-check your firewall rules, security groups, and the squid.conf settings. Ensure that Xint’s IPs are correctly whitelisted and that the proxy can reach the target application’s host and port.
• Proxy Logs: You can view the squid logs to diagnose connection issues by running docker logs squid-proxy. Access logs will show incoming connections, and cache logs (/var/log/squid/cache.log inside the container) may contain more detailed error messages.