How to mitigate the HTTPOxy vulnerability

HTTPoxy is a web application vulnerability caused by malicious HTTP requests. You can configure your edge application to mitigate HTTPOxy using Rules Engine.


HTTPoxy can affect web applications that use Common Gateway Interface (CGI) or CGI-like environments. CGI is the method responsible for handling user requests and establishing a line of communication between the client and the server through environment variables.

The Proxy header in HTTP requests was found to be vulnerable to malicious requests in CGI environments. When a Proxy value is sent to the server by a request header, that value overwrites the HTTP_PROXY environment variable used to configure outgoing proxies. This means that any internal request generated by the client can be redirected to an external proxy server, and all data contained within the request can be captured.

For more information about this vulnerability, visit the official HTTPoxy website or the CERT Coordination Center (CERT/CC) vulnerability database.


Creating a rule to block the HTTP Proxy header

Section titled Creating a rule to block the HTTP Proxy header

In order to protect your applications against HTTPoxy, follow the steps below to block the Proxy header during the Request Phase.

  1. Access Azion Console.

  2. On the upper-left corner of the page, go to Products menu > Edge Application.

  3. Select the application you want to configure against HTTPoxy attacks.

  4. On the Main Settings tab, in the Modules section, enable Application Accelerator.

  5. Click the Save button to save this setting.

  6. In the Rules Engine tab, click the New Rule button and select Request Phase.

  7. Add a name to your rule.

  8. In the Criteria section, add a criteria.

    You can create a default rule to mitigate your application as a whole as follows:

    If ${uri} starts with /

  9. Then, in the Behaviors section, select the Filter Request Header behavior and add proxy as an argument.

  10. Click the Save button.

Once the variable is set, if a malicious request is made to your application containing the Proxy header, your edge application will strip the header, protecting your origin from HTTPoxy attacks.


Contributors