How to mitigate the HTTPoxy vulnerability
HTTPoxy is a web application vulnerability caused by malicious HTTP requests. You can configure your edge application to mitigate HTTPOxy using Rules Engine.
1. About HTTPoxy
HTTPoxy can affect web applications that use Common Gateway Interface (CGI) or CGI-like environments. CGI is the method responsible for handling user requests and establishing a line of communication between the client and the server through environment variables.
Proxy header in HTTP requests was found to be vulnerable to malicious requests in CGI environments. When a
Proxy value is sent to the server by a request header, that value overwrites the
HTTP_PROXY environment variable used to configure outgoing proxies. This means that any internal request generated by the client can be redirected to an external proxy server, and all data contained within the request can be captured.
For more information about this vulnerability, visit the official HTTPoxy website or the CERT Coordination Center (CERT/CC) vulnerability database.
2. Creating a rule to block the HTTP Proxy header
In order to protect your applications against HTTPoxy, follow the steps below to block the
Proxy header during the Request Phase.
- Access Real-Time Manager.
- On the upper-left corner of the page, go to Products menu > Edge Application.
- Select the application you want to configure against HTTPoxy attacks.
- On the Main Settings tab, in the Modules section, enable Application Acceleration.
- Click the Save button to save this setting.
- In the Rules Engine tab, click the New Rule button and select Request Phase.
- Add a name to your rule.
In the Criteria section, add a criteria.
You can create a default rule to mitigate your application as a whole as follows:
- Then, in the Behaviors section, select the Filter Request Header behavior and add
proxyas an argument.
- Click the Save button.
Once the variable is set, if a malicious request is made to your application containing the
Proxy header, your edge application will strip the header, protecting your origin from HTTPoxy attacks.
Didn’t find what you were looking for? Open a support ticket.