So there's a new buzz in town with the HTTPoxy Vulnerability on multiple platforms, specifically : in PHP; in Go; in Apache HTTP server; in Apache TomCat; in PHP-engine HHVM; and CVE-2016-1000110
A short description about this vulnerability. HTTP_PROXY is an environment variable which is generally passed on to CGI servers to configure an outgoing proxy, which is generally passed on through a request header ( I hope you can exploit it, reading just this much ;) ). A lot of stuff is affected by it and can be seen . Immediate mitigation can be done by not reading the Proxy header information at all. And steps for fix are mentioned on this link
The exact ways of how this could be exploited are presently limitless as it has impacts on a broader surface of products and not one. Let's understand this vulnerability with the following diagram:
If you visit a website that fetches parts of the content via a HTTP API on a vulnerable machine, the attacker ( You ;) ) can modify how the server functions. You can assert how an application could-would-should behave on every API call. You can make server redirect the outgoing requests to your own server.Using this method you can get user's access tokens, plain-text password, session content and much more ( as I said, possibilities are endless ).
Generally, web applications do not consider securing the end-point communication of the server handling the API incoming queries. Meaning, the API server is considered to be trustworthy, which in our case is the weakest part of the link. This is like having an XSS vulnerability but at much deeper level without even implicating any damage on the application server.
Update: To check for vulnerable servers, you can make web requests on nested crawling loops and hit them with the HTTP Header "Proxy". The value of this header should point to your own web endpoint, which can just catch any incoming web-requests, Example : http://my-api-endpoint.com.Now keep an eye for the logs, if you have any logs, then you're in luck and the server sending those requests has been compromised. Lazy devs can use this chrome extension Update 2: For an Apache server running Php, use this to test if your server is vulnerable.
<?php $var1 = getenv('HTTP_PROXY'); echo "$var1"; echo $_SERVER['HTTP_PROXY']; ?>
And hit the server with requests with header "Proxy". If you see anything on the screen, it means you're vulnerable to be exploited.
Thanks for reading it. The vulnerability is not short-lived as much of the systems would continue to use the existing infrastructure. Thank you for reading, keep exploring :)