How to mitigate the HTTPOxy vulnerability
HTTPoxy is a web application vulnerability caused by malicious HTTP requests. You can configure your edge application to mitigate HTTPOxy using Rules Engine.
About HTTPoxy
HTTPoxy can affect web applications that use Common Gateway Interface (CGI) or CGI-like environments. CGI is the method responsible for handling user requests and establishing a line of communication between the client and the server through environment variables.
The Proxy
header in HTTP requests was found to be vulnerable to malicious requests in CGI environments. When a Proxy
value is sent to the server by a request header, that value overwrites the HTTP_PROXY
environment variable used to configure outgoing proxies. This means that any internal request generated by the client can be redirected to an external proxy server, and all data contained within the request can be captured.
Creating a rule to block the HTTP Proxy header
In order to protect your applications against HTTPoxy, follow the steps below to block the Proxy
header during the Request Phase.
- Access Azion Console > Edge Application.
- Select the application you want to configure against HTTPoxy attacks.
- In the Main Settings tab, in the Modules section, enable Application Accelerator.
- Click the Save button to save this setting.
- Go to the Rules Engine tab and click the + Rule button.
- Add a name to your rule.
- Select Request Phase.
- In the Criteria section, add a criteria.
- You can create a default rule to mitigate your application as a whole as follows: If
${uri}
starts with/
- You can create a default rule to mitigate your application as a whole as follows: If
- Then, in the Behaviors section, select the Filter Request Header behavior and add
proxy
as an argument. - Click the Save button.
Once the variable is set, if a malicious request is made to your application containing the Proxy
header, your edge application will strip the header, protecting your origin from HTTPoxy attacks.
- Access Real-Time Manager (RTM).
- On the upper-left corner of the page, go to Products menu > Edge Application.
- Select the application you want to configure against HTTPoxy attacks.
- In the Main Settings tab, in the Modules section, enable Application Accelerator.
- Click the Save button to save this setting.
- In the Rules Engine tab, click the New Rule button and select Request Phase.
- Add a name to your rule.
- In the Criteria section, add a criteria.
- You can create a default rule to mitigate your application as a whole as follows: If
${uri}
starts with/
- You can create a default rule to mitigate your application as a whole as follows: If
- Then, in the Behaviors section, select the Filter Request Header behavior and add
proxy
as an argument. - Click the Save button.
Once the variable is set, if a malicious request is made to your application containing the Proxy
header, your edge application will strip the header, protecting your origin from HTTPoxy attacks.