Tools for testing HTTPoxy Vulnerability

I’ve developed a script that you can run on your server and test for CGI HTTPoxy vulnerability. It’s available on my github in a repository named HTTPoxy-Test-Tools. I’ve currently developed the script for apache web servers but I’ll be adding support for other webservers gradually.

Edit:

Added IIS HTTPoxy Testing Tool:
https://github.com/silverfoxy/HTTPoxy-Test-Tools/tree/master/iis_httpoxy

HTTPoxy Test Tools

This tool finds your webserver’s CGI directory, adds a temporary file that returns the HTTP_PROXY environment variable. It then sends a GET request to this CGI file and sets the “proxy” header for the underlying request. If the environment variable is affected, then you’re vulnerable. This package contains:

apache_httpoxy.py

apache_httpoxy.py Checks for this vulnerability on Apache web servers.

Dependencies:

os, urllib2, argparse

Usage

usage: apache_httpoxy.py [-h] [-b] [-c CONF]

optional arguments:

-h, –help show this help message and exit

-b, –boolean Script returns 1 if server is vulnerable, 0 if server is not vulnerable

-c CONF, –config CONF Enter httpd.conf address

Sample Output

$sudo python apache_httpoxy.py

[+] Initiating Test

[?] Enter httpd.conf address: [Default: /etc/httpd/conf/httpd.conf]

[+] httpd.conf address was set to /etc/httpd/conf/httpd.conf

[+] Reading CGI-Directory Address from httpd.conf

[+] CGI-Directory was set to /var/www/cgi-bin/

[+] Initiating TestSuite

[+] Creating CGI File

[+] Setting Permissions

[+] Running Tests

[+] Sending Get Request to http://127.0.0.1/cgi-bin/httpoxy-test-file.py with proxy header set to 10.10.10.10

[+] Testing proxy in response

[+] Proxy was set in response

[-] ===== Server Vulnerable =====

[+] Cleaning up

[+] Done

How does it work?

In order to test for HTTPoxy vulnerability we have to have CGI enabled and have a CGI script that sends requests via APIs that use HTTP_PROXY environment variable. The script reads httpd.conf file and searches for cgi-bin directory location.

class ApacheConfigParser :
	CGI_CONFIG_PATTERN = 'ScriptAlias /cgi-bin/'
	def __init__(self, filename) :
		self.config_file = filename
	def get_cgi_dir(self) :
		with open(self.config_file) as conf :
			for line in conf :
				if self.CGI_CONFIG_PATTERN in line :
                    return line.split()[2].replace('"', '')

Then we create a python script to serve as our CGI application with the following code which returns HTTP_PROXY environment variable set for the script :

#!/usr/bin/python'
import os
print "Content-Type: text/html\n"
print os.environ.get('HTTP_PROXY')

If the proxy returned by our CGI script matches the one in the attacker’s request then we’re vulnerable. We test this like this:

request = urllib2.Request('http://127.0.0.1/cgi-bin/' + self.filename, headers = {'proxy': '10.10.10.10'})
response = urllib2.urlopen(request).read()
if '10.10.10.10' in response :
    print "Vulnerable"
else :
    print "Not Vulnerable"