Details
Alert Id 10107
Alert Type Active
Status beta
Risk High
CWE 20
WASC 20
Technologies Targeted All
Tags OWASP_2017_A09
OWASP_2021_A06

Summary

The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments. This may allow attackers to:

  • Proxy the outgoing HTTP requests made by the web application
  • Direct the server to open outgoing connections to an address and port of their choosing or
  • Tie up server resources by forcing the vulnerable software to use a malicious proxy

Solution

The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application.

Other Info

References

Code

org/zaproxy/zap/extension/ascanrulesBeta/HttPoxyScanRule.java