Instart Logic Customers Protected from the HTTPOXY Vulnerability

HTTPOXY vulnerability

What is HTTPOXY and how does it work?

HTTPOXY is a serious vulnerability affecting applications that run in CGI environments. If you are using Go, PHP, Python, or Apache, you are potentially impacted.

An attacker can exploit this vulnerability to perform a man-in-the-middle attack and eavesdrop on the traffic initiated from a web application by having the web server use the attacker’s proxy server.

The attack originates from a HTTP_PROXY namespace conflict. CGI grabs this header from a request and sets the equivalent environment variable on the server. So if an attacker sends a request to your web application with “Proxy: ATTACKER_PROXY” in the HTTP headers, once the CGI script is executed in the backend, the HTTP_PROXY environment variable will be set to ATTACKER_PROXY.

How do I test if my website is vulnerable?

If you want to see if your site has this vulnerability, you can follow these steps using PHP (or create the equivalent testing page in your preferred environment):

  1. Create a simple PHP page like the following, which compares the HTTP_PROXY environment variable with “testing” and prints “Your website is vulnerable!” if the two were equal:
    <!--?php
    if (isset($_SERVER['HTTP_PROXY']) && $_SERVER['HTTP_PROXY'] == 'testing') {
      echo 'Your website is vulnerable!';
    }
    -->
    
  2. Now run the following curl command:
    curl -v www.yourwebsite.com/test_headers.php
    

    You should get an empty response.

  3. Then run the curl command again, this time adding a Proxy header using the -H option:
    curl -v -H 'Proxy: testing'  www.yourwebsite.com/test_headers.php
    

    If you see “Your website is vulnerable!” in the response, then your website has this vulnerability.

To learn more about this vulnerability, visit the HTTPOXY website or read this blog post from Dominic Scheirlinck.

How should I protect myself?

You need to update your backend application operating system and web servers.

If you are using Instart Logic Web Application Firewall, we have already added a rule to our WAF to make sure any traffic that carries the Proxy header will be detected. Please reach out to support@instartlogic.com if you have any further questions.

If you are an Instart Logic Managed Security Services customer, we have already reached out to you and informed you about the mitigation steps.

Learn more about Instart Logic: