I’ve developed a script that you can run on your server and test for CGI HTTPoxy vulnerability. It’s available on my github in a repository named HTTPoxy-Test-Tools. I’ve currently developed the script for apache web servers but I’ll be adding support for other webservers gradually.
Edit:
Added IIS HTTPoxy Testing Tool:
https://github.com/silverfoxy/HTTPoxy-Test-Tools/tree/master/iis_httpoxy
HTTPoxy Test Tools
This tool finds your webserver’s CGI directory, adds a temporary file that returns the HTTP_PROXY environment variable. It then sends a GET request to this CGI file and sets the “proxy” header for the underlying request. If the environment variable is affected, then you’re vulnerable. This package contains:
apache_httpoxy.py
apache_httpoxy.py Checks for this vulnerability on Apache web servers.
Dependencies:
os, urllib2, argparse
Usage
usage: apache_httpoxy.py [-h] [-b] [-c CONF]
optional arguments:
-h, –help show this help message and exit
-b, –boolean Script returns 1 if server is vulnerable, 0 if server is not vulnerable
-c CONF, –config CONF Enter httpd.conf address
Sample Output
$sudo python apache_httpoxy.py
[+] Initiating Test
[?] Enter httpd.conf address: [Default: /etc/httpd/conf/httpd.conf]
[+] httpd.conf address was set to /etc/httpd/conf/httpd.conf
[+] Reading CGI-Directory Address from httpd.conf
[+] CGI-Directory was set to /var/www/cgi-bin/
[+] Initiating TestSuite
[+] Creating CGI File
[+] Setting Permissions
[+] Running Tests
[+] Sending Get Request to http://127.0.0.1/cgi-bin/httpoxy-test-file.py with proxy header set to 10.10.10.10
[+] Testing proxy in response
[+] Proxy was set in response
[-] ===== Server Vulnerable =====
[+] Cleaning up
[+] Done
How does it work?
In order to test for HTTPoxy vulnerability we have to have CGI enabled and have a CGI script that sends requests via APIs that use HTTP_PROXY environment variable. The script reads httpd.conf file and searches for cgi-bin directory location.
class ApacheConfigParser :
CGI_CONFIG_PATTERN = 'ScriptAlias /cgi-bin/'
def __init__(self, filename) :
self.config_file = filename
def get_cgi_dir(self) :
with open(self.config_file) as conf :
for line in conf :
if self.CGI_CONFIG_PATTERN in line :
return line.split()[2].replace('"', '')
Then we create a python script to serve as our CGI application with the following code which returns HTTP_PROXY environment variable set for the script :
#!/usr/bin/python'
import os
print "Content-Type: text/html\n"
print os.environ.get('HTTP_PROXY')
If the proxy returned by our CGI script matches the one in the attacker’s request then we’re vulnerable. We test this like this:
request = urllib2.Request('http://127.0.0.1/cgi-bin/' + self.filename, headers = {'proxy': '10.10.10.10'})
response = urllib2.urlopen(request).read()
if '10.10.10.10' in response :
print "Vulnerable"
else :
print "Not Vulnerable"
