Weblog

18 July 2016, 20:49

There is some fuzz going on about httpoxy. According to the httpoxy website, it's a 'set of vulnerabilities that affect application code running in CGI, or CGI-like environments'. If you ask me, it's just another blindly-trusting-user-input stupidity.

So, what's going on? It's all about a non-official HTTP header named 'Proxy'. Some HTTP client applications or libraries seem to blindly trust its content and will use the proxy mentioned in it to send HTTP requests. If your server-side application uses such vulnerable client software to make a HTTP request (now called back-end request), an attacker can send a Proxy header in his own HTTP request, to make the back-end request to be send to his own server. That back-end request may contain confidential information.

How to block such request? Since it's not an official HTTP header, no sane client will send it. Simply block any such request (or ban the sending client) via the UrlToolkit:

UrlToolkit {
  ToolkitID = block_httpoxy
  Header Proxy .* DenyAccess
}
samiux
19 July 2016, 10:22
Thanks for the info.
Nick
19 July 2016, 12:19
Thanks for the info Hugo!
Kaveman
19 July 2016, 19:00
I guess wget is an insane client that attackers would never use. Hugo you're a smart dude and do amazing work but sometimes the things you say make me chuckle.

wget -d --header="Proxy: 1.2.3.4:8080" https://www.hiawatha-webserver.org
Hugo Leisink
19 July 2016, 19:15
What's funny about that? I don't get it.
Kapageridis Stavros
23 August 2016, 00:38
Thanks for the info Hugo.
Robert
31 August 2016, 07:24
Thanks Hugo!
TheSmokingDuck
26 January 2017, 03:22
Wow! Cool info Hugo. Really glad I read this. Thanks for it.