SWGRecon: Automate SWG Rules, Policy, and Bypass Enumeration

Enterprise users on their web browsers are prime targets for attackers, penetration testers, and red teamers. A common tactic involves tricking users into clicking on spear-phishing emails, downloading malicious documents or binaries, and subsequently compromising their systems. To mitigate these web-based initial access threats, enterprises deploy Secure Web Gateways (SWGs). SWGs are essentially SSL-intercepting cloud proxies that inspect web traffic, blocking attacks such as malicious file downloads, harmful websites, and scripts. Since all web traffic from users' browsers is routed through these proxies, SWGs have complete visibility into the scripts loading into users' browsers and the capability to block them.

In this talk, we will explore how to conduct reconnaissance against SWGs, identify the vendor and location, reconstruct the rules and policies applied, and identify bypasses based on these insights. We will introduce SWGRecon, a new tool designed to automate enumeration processes. This tool can be deployed as a JavaScript file for automatic enumeration and is complemented by a browser extension for certain scenarios. Our techniques have been rigorously tested against all the leading vendors in the market and have proven to be highly effective as of this writing.

Our primary objective is to raise awareness about how easily an attacker can deploy JavaScript via their website or inject it into a known website, uncovering loopholes in SWG rules and policies. By exploiting these loopholes, attackers can bypass protections and deliver malware or malicious websites directly to enterprise users' browsers.