ZAP – Httpoxy - Proxy Header Misuse

Details
Alert ID	10107
Alert Type	Active
Status	beta
Risk	High
CWE	20
WASC	20
Technologies Targeted	All
Tags	CWE-20 OWASP_2017_A09 OWASP_2021_A06
More Info	Scan Rule Help

Summary

The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments. This may allow attackers to:

Proxy the outgoing HTTP requests made by the web application
Direct the server to open outgoing connections to an address and port of their choosing or
Tie up server resources by forcing the vulnerable software to use a malicious proxy.

Solution

The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application.

Other Info

An outgoing message to http://192.168.0.11:1080/ was proxied via the host and port that ZAP injected into the HTTP Proxy header.

References

https://httpoxy.org/

Code

org/zaproxy/zap/extension/ascanrulesBeta/HttPoxyScanRule.java