Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: HTTP Proxy Header Vulnerability ("httpoxy") SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
HTTP Proxy Header Vulnerability ("httpoxy")

"HTTPoxy" refers to an older vulnerability in how web applications use the HTTP  "Proxy" header incorrectly. The vulnerability was first described in 2001 in libwww-perl, but has survived detection in other languages and plugins until now. The vulnerability can be found in some popular implementations, but is not affecting the vast majority of web applications.

According to RFC 3875, which described CGI ("Common Gateway Interface"), the content of the "Proxy" header is assigned to the HTTP_PROXY environment variable. Like all user supplied data, this value needs to be validated, but sadly, some web applications fail to do so

The effect is that outbound web requests from the application may use a proxy provided by the user.

You are vulnerable if you are not validating the Proxy header, AND if you are using specific frameworks for outbound web requests that use the HTTP_PROXY environment variable.

For a full list of affected applications, and more details, see . The site also suggests specific mitigation techniques, like removing the Proxy header from all inbound requests, which is probably a sound technique to minimize the impact of this issue.

Johannes B. Ullrich, Ph.D.

I will be teaching next: Defending Web Applications Security Essentials - SANS Cyber Defense Initiative 2021


4307 Posts
ISC Handler
Jul 18th 2016
Thx Johannes,

The open source project offered this signature to detect on @Suricata_IDS @Snort mailing list:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC HttpOxy vulnerability HTTP Proxy header attempt"; flow:to_server,established; content:"Proxy|3A|"; nocase; http_header; pcre:"/^Proxy\x3a/Hsmi";
reference:url,; reference:cve,2016-5385; reference:cve,2016-5386; reference:cve,2016-5387; reference:cve,2016-5388; reference:cve,2016-1000109; reference:cve,2016-1000110;
reference:url,; classtype:misc-attack; sid:1; rev:1;)

Please send any comments.


11 Posts
Microsoft just published

5 Posts

Sign Up for Free or Log In to start participating in the conversation!