CVE-2016-5386: HTTPoxy/Golang HTTProxy namespace conflict

This exercise covers the exploitation of HTTPoxy against an old version of Golang

< 1 Hr.
Orange Badge


In this exercise, we delve into CVE-2016-5386, a vulnerability known as "HTTPoxy," which affects older versions of the Golang HTTP library when used as a CGI. The issue arises because the web server creates environment variables for each client header, prefixing them with `HTTP_` and capitalizing them. This mechanism inadvertently allows the creation of a `HTTP_PROXY` variable if a `Proxy:` header is injected, leading to potential exploitation.

To exploit this flaw, an attacker needs to add a `Proxy:` header with the URL of a system under their control. This will create an `HTTP_PROXY` environment variable in the CGI, causing the CGI to use the attacker’s proxy when making HTTP requests. This can lead to significant security breaches, especially if the client does not use TLS. The vulnerability has been mitigated in newer versions of Apache, which block the `Proxy:` header altogether.

Want to learn more? Get started with PentesterLab Pro! GO PRO