Skip to content

Feature Request: New detector for ArcGIS proxy configs #3808

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
M-Davies opened this issue Dec 20, 2024 · 1 comment
Open

Feature Request: New detector for ArcGIS proxy configs #3808

M-Davies opened this issue Dec 20, 2024 · 1 comment
Labels
contributions welcomed Signal for help from the community! enhancement new detector request Issues that request addition of new detector(s) pkg/detectors PRs and Issues related to the `detectors` package

Comments

@M-Davies
Copy link

M-Davies commented Dec 20, 2024
edited
Loading

Description

Old ArcGIS installs (and directory archives containing files related to them) sometimes contain proxy.config files. These are configuration files that are used by ArcGIS to (funnily enough) configure proxies for backend comms. This method of setting proxies is now deprecated by ArcGIS as it now has it's own native settings (see this repo for more details).

However, these proxy files sometimes contain credentials for either local users, domain users or both. A recent pentest I was on against a client running trufflehog against their external infrastructure failed to pick up proxy.config file similar to the following:

<?xml version="1.0" encoding="utf-8" ?>
<ProxyConfig allowedReferers="*"
             mustMatch="true">
    <serverUrls>
        <serverUrl url="https://maps.XXXXXXXXXXXXX/arcgisserver/rest/services"
		username="vp.viewer.test" password="XXXXXXXXXXXXX" tokenServiceUri="https://maps.XXXXXXXXXXXXX/viewpoint/sharing/generateToken" matchAll="true" />
        <serverUrl url="https://maps.XXXXXXXXXXXXX/arcgisXXXXXXXXXXXXX/rest/services"
		username="XXXXXXXXXXXXX" password="XXXXXXXXXXXXX" matchAll="true" />
		<serverUrl url="https://gis-services.XXXXXXXXXXXXX/arcgis/rest/services"
		username="XXXXXXXXXXXXX" password="XXXXXXXXXXXXX" matchAll="true" />
    </serverUrls>
</ProxyConfig>

<!-- See https://github.com/Esri/resource-proxy for more information -->

URLs, usernames and passwords censored for privacy

For full details, please see this blog post.

Preferred Solution

Support for a new detector that picks up credentials in the <serverUrl> object of the above XML doc.

Additional Context

<serverUrl> does not always contain credentials, it can be just a URL.

I would try and do this myself but Go really isn't my language and I haven't the time in the foreseeable future to learn it sadly :(

References

More details can be provided on request
@shahzadhaider1 shahzadhaider1 added the pkg/detectors PRs and Issues related to the `detectors` package label May 27, 2025
@shahzadhaider1
Copy link
Contributor

Hey @M-Davies,

Thank you for taking the time to open this issue, we really appreciate your contribution to the project!
We’ll take a look and get back to you as soon as we can. If we need any clarification, we’ll follow up here.

Thanks again for helping make this project better!

@shahzadhaider1 shahzadhaider1 added contributions welcomed Signal for help from the community! new detector request Issues that request addition of new detector(s) labels May 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
contributions welcomed Signal for help from the community! enhancement new detector request Issues that request addition of new detector(s) pkg/detectors PRs and Issues related to the `detectors` package
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@M-Davies @shahzadhaider1