Hypertext Transfer Protocol Fingerprinting: Techniques for Attacker-in-the-Middle Proxy Detection, Evasion, and Counter-Evasion

Author

• Jensen George Wood, Brigham Young UniversityFollow

Abstract

Attacker-in-the-middle (AitM) phishing toolkits have emerged as a critical threat to enterprise and individual security by enabling adversaries to bypass multi-factor authentication (MFA) and compromise cloud-based accounts at scale. Traditional detection techniques--such as IP blocklists or content-based detection methods--are often ineffective against these increasingly sophisticated attacks. We propose a novel method that detects malicious proxies by identifying artifacts they introduce into HTTP request headers. To evaluate our approach, we systematically analyze traffic passed through several open-source AitM toolkits and proxies, identifying distinct modifications to header structures and content, then formalize these features as YARA rules for automated use. To validate our findings, we hosted a web-based challenge in a Capture-The-Flag (CTF) competition, collecting 3,534 HTTP requests from 707 unique IP addresses across 55 countries. Our results show that AitM traffic can be detected with an accuracy of 99.7\%, with most individual proxies being identifiable with a high degree of accuracy as well. This work also evaluates the long-term resiliency of HTTP-based detection by performing an in-depth analysis of the Evilginx source code, a popular AitM toolkit, determining that many of the artifacts it introduces are implementation-specific rather than being inherent to AitM functionality. We show that these artifacts can be trivially patched out, but that in so doing, numerous inconsistencies are introduced to proxied connections that can be used in counter-evasion techniques. Finally, we analyze detection mechanisms based on third-party web resources, providing implementation examples while exploring their shortcomings and advantages.

Degree

MS

College and Department

Ira A. Fulton College of Engineering; Electrical and Computer Engineering

Rights

https://lib.byu.edu/about/copyright/

BYU ScholarsArchive Citation

Wood, Jensen George, "Hypertext Transfer Protocol Fingerprinting: Techniques for Attacker-in-the-Middle Proxy Detection, Evasion, and Counter-Evasion" (2026). Theses and Dissertations. 11206.
https://scholarsarchive.byu.edu/etd/11206

Date Submitted

2026-04-14

Document Type

Thesis

Permanent Link

https://arks.lib.byu.edu/ark:/34234/q293cea8ab

Keywords

HTTP fingerprinting, attacker-in-the-middle, phishing detection, proxy detection, multi-factor authentication, network security, cybersecurity

Language

english