Details
Alert ID 10107
Alert Type Active
Status beta
Risk High
CWE 20
WASC 20
Technologies Targeted All
Tags CWE-20
OWASP_2017_A09
OWASP_2021_A06
POLICY_QA_FULL
More Info Scan Rule Help

Summary

The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments. This may allow attackers to:

  • Proxy the outgoing HTTP requests made by the web application
  • Direct the server to open outgoing connections to an address and port of their choosing or
  • Tie up server resources by forcing the vulnerable software to use a malicious proxy.

Solution

The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application.

Other Info

An outgoing message to http://192.168.0.11:1080/ was proxied via the host and port that ZAP injected into the HTTP Proxy header.

References

Code

org/zaproxy/zap/extension/ascanrulesBeta/HttPoxyScanRule.java