Tools for testing HTTPoxy Vulnerability ?>

Tools for testing HTTPoxy Vulnerability

I’ve developed a script that you can run on your server and test for CGI HTTPoxy vulnerability. It’s available on my github in a repository named HTTPoxy-Test-Tools. I’ve currently developed the script for apache web servers but I’ll be adding support for other webservers gradually.


Added IIS HTTPoxy Testing Tool:

HTTPoxy Test Tools

This tool finds your webserver’s CGI directory, adds a temporary file that returns the HTTP_PROXY environment variable. It then sends a GET request to this CGI file and sets the “proxy” header for the underlying request. If the environment variable is affected, then you’re vulnerable. This package contains: Checks for this vulnerability on Apache web servers.


os, urllib2, argparse


usage: [-h] [-b] [-c CONF]

optional arguments:

-h, –help show this help message and exit

-b, –boolean Script returns 1 if server is vulnerable, 0 if server is not vulnerable

-c CONF, –config CONF Enter httpd.conf address

Sample Output

$sudo python

[+] Initiating Test

[?] Enter httpd.conf address: [Default: /etc/httpd/conf/httpd.conf]

[+] httpd.conf address was set to /etc/httpd/conf/httpd.conf

[+] Reading CGI-Directory Address from httpd.conf

[+] CGI-Directory was set to /var/www/cgi-bin/

[+] Initiating TestSuite

[+] Creating CGI File

[+] Setting Permissions

[+] Running Tests

[+] Sending Get Request to with proxy header set to

[+] Testing proxy in response

[+] Proxy was set in response

[-] ===== Server Vulnerable =====

[+] Cleaning up

[+] Done

How does it work?

In order to test for HTTPoxy vulnerability we have to have CGI enabled and have a CGI script that sends requests via APIs that use HTTP_PROXY environment variable. The script reads httpd.conf file and searches for cgi-bin directory location.

Then we create a python script to serve as our CGI application with the following code which returns HTTP_PROXY environment variable set for the script :

If the proxy returned by our CGI script matches the one in the attacker’s request then we’re vulnerable. We test this like this:


Leave a Reply

%d bloggers like this: