SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Tuesday, March 17th, 2026: Proxy URLs; Local Network Address Restrictions; Advanced Phishing
12 snips
Mar 17, 2026 They discuss proxy URL attacks that trick servers into reaching internal addresses and clever IPv6 and obfuscation tricks attackers use. Security steps for hardening proxies, firewalls and browser local-network restrictions are covered. A sophisticated phishing chain that used open redirects, third-party relays and DKIM weaknesses to evade defenses is also described.
AI Snips
Chapters
Transcript
Episode notes
Honeypot Saw /proxy/ Requests Targeting Cloud Metadata
- Johannes Ulrich observed honeypot attacks hitting URLs starting with /proxy/ to use web servers as proxies.
- Attackers probed for 169.254.169.254 metadata service and used IPv4-mapped IPv6 obfuscation like ::ffff:a9fe:a9fe.
Lock Down Proxy Endpoints And Don’t Rely On Path Filters
- Do secure any proxy endpoints and cross-origin proxy features so they cannot reach sensitive internal addresses like 169.254.169.254.
- Harden web application firewalls and avoid overly permissive proxy configurations rather than just blocking /proxy/ paths.
Browser Zones Block Cross Network Requests
- Microsoft Edge introduced local network access restrictions that partition public, non-routable, and loopback zones.
- The browser blocks cross-zone requests so public websites cannot request 10.x, 127.0.0.1, or 169.254 addresses by default.