Tools for testing HTTPoxy Vulnerability

I’ve developed a script that you can run on your server and test for CGI HTTPoxy vulnerability. It’s available on my github in a repository named HTTPoxy-Test-Tools. I’ve currently developed the script for apache web servers but I’ll be adding support for other webservers gradually.

Edit:

Added IIS HTTPoxy Testing Tool:
https://github.com/silverfoxy/HTTPoxy-Test-Tools/tree/master/iis_httpoxy

HTTPoxy Test Tools

This tool finds your webserver’s CGI directory, adds a temporary file that returns the HTTP_PROXY environment variable. It then sends a GET request to this CGI file and sets the “proxy” header for the underlying request. If the environment variable is affected, then you’re vulnerable. This package contains:

apache_httpoxy.py

apache_httpoxy.py Checks for this vulnerability on Apache web servers.

Dependencies:

os, urllib2, argparse

Usage

usage: apache_httpoxy.py [-h] [-b] [-c CONF]

optional arguments:

-h, –help show this help message and exit

-b, –boolean Script returns 1 if server is vulnerable, 0 if server is not vulnerable

-c CONF, –config CONF Enter httpd.conf address

Sample Output

$sudo python apache_httpoxy.py

[+] Initiating Test

[?] Enter httpd.conf address: [Default: /etc/httpd/conf/httpd.conf]

[+] httpd.conf address was set to /etc/httpd/conf/httpd.conf

[+] Reading CGI-Directory Address from httpd.conf

[+] CGI-Directory was set to /var/www/cgi-bin/

[+] Initiating TestSuite

[+] Creating CGI File

[+] Setting Permissions

[+] Running Tests

[+] Sending Get Request to http://127.0.0.1/cgi-bin/httpoxy-test-file.py with proxy header set to 10.10.10.10

[+] Testing proxy in response

[+] Proxy was set in response

[-] ===== Server Vulnerable =====

[+] Cleaning up

[+] Done

How does it work?

In order to test for HTTPoxy vulnerability we have to have CGI enabled and have a CGI script that sends requests via APIs that use HTTP_PROXY environment variable. The script reads httpd.conf file and searches for cgi-bin directory location.

class ApacheConfigParser : CGI_CONFIG_PATTERN = 'ScriptAlias /cgi-bin/' def __init__(self, filename) : self.config_file = filename def get_cgi_dir(self) : with open(self.config_file) as conf : for line in conf : if self.CGI_CONFIG_PATTERN in line : return line.split()[2].replace('"', '')

Then we create a python script to serve as our CGI application with the following code which returns HTTP_PROXY environment variable set for the script :

#!/usr/bin/python' import os print "Content-Type: text/html\n" print os.environ.get('HTTP_PROXY')

If the proxy returned by our CGI script matches the one in the attacker’s request then we’re vulnerable. We test this like this:

request = urllib2.Request('http://127.0.0.1/cgi-bin/' + self.filename, headers = {'proxy': '10.10.10.10'}) response = urllib2.urlopen(request).read() if '10.10.10.10' in response : print "Vulnerable" else : print "Not Vulnerable"