nginx-baseline icon indicating copy to clipboard operation
nginx-baseline copied to clipboard
verified publisher icon dev-sec

Prevent httpoxy attack

Open kravietz opened this issue 6 years ago • 4 comments

If proxy module is used, make sure this is set to thwart the httpoxy attack:

proxy_set_header Proxy "";

More detailed discussion at Nginx website: Mitigating the HTTPoxy Vulnerability with NGINX

kravietz avatar Aug 02 '19 14:08 kravietz

Hey @kravietz,

I moved this issue to our nginx-baseline repo, as new hardening-tests are first developed here! Then we will integrate them into the actual hardening repositories.

rndmh3ro avatar Aug 07 '19 08:08 rndmh3ro

I think it is great to add an option here to verify that the proxy header is set to an empty string. How do we deal with the fact that the value is not always empty?

chris-rock avatar Aug 07 '19 09:08 chris-rock

@chris-rock any set at the proxy value prevents the attack - the vector only works if it can be set arbitrarily from the HTTP request. So a mere check for presence of proxy_set_header Proxy should be sufficient.

kravietz avatar Aug 07 '19 09:08 kravietz

@kravietz That is great. Thank you for your explanation. Let us add this to the baseline!

chris-rock avatar Aug 07 '19 10:08 chris-rock