On July 18, 2016 security experts disclosed a vulnerability in web applications and web servers running in CGI or CGI-like environments. The vulnerability, named HTTPoxy, will cause web applications to assign values of a request header named “Proxy” to an internal “HTTP_PROXY” environment variable. As a result, when a web application runs it may be possible for an attacker to specify a proxy server which the application uses for subsequent outgoing requests resulting in a man-in-the-middle(MITM) attack.
Verizon Digital Media Services’ CDN customers can protect their web applications against an HTTPoxy attack by using the HTTP Rules Engine to block requests that contain the “Proxy” header and it’s variations. The “Proxy” header is not defined by IETF and is not a standard header. Even though there is no legitimate use for this header and considered generally safe to block, we advise each customer to evaluate the impact to their website and leverage the Rules Engine rule(s) where appropriate. This rule will block malicious requests in our CDN edge servers, before they can impact the customer’s origin servers.
Following screenshot shows the Rules Engine rule that can used by customers:
For more information about the vulnerability, please see https://httpoxy.org/. For comprehensive protection, we advise all customers to apply appropriate patches to their origin servers and web applications.
If you have any questions, please contact our 24×7 NOC.
Dave Andrews, Sec.C Lead Engineer
Vikas Phonsa, Senior Product Manager — Security Solutions