Httpoxy - Proxy Header Misuse

The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments. This may allow attackers to: * Proxy the outgoing HTTP requests made by the web application * Direct the server to open outgoing connections to an address and port of their choosing or * Tie up server resources by forcing the vulnerable software to use a malicious proxy.

Vulnerable CGI and CGI-like applications use the HTTP Proxy header value to set the HTTP_PROXY environment variable, which many HTTP libraries read to determine proxy settings. Attackers inject a malicious proxy address in the Proxy header, forcing the server to route outbound requests through attacker-controlled infrastructure. This enables traffic interception, credential theft from external API calls, or internal network port scanning using the server as a pivot point.

Block or strip the Proxy HTTP header at the web server or load balancer level before it reaches the application. Configure your web server (Apache, Nginx) to reject or remove this header from incoming requests. For application-level fixes, ensure environment variable HTTP_PROXY is not set from untrusted user input, and use explicit proxy configuration instead of relying on environment variables.