How the httpoxy vulnerability could be exploited

[Batu69]

 

The "httpoxy" exploit possibly affecting millions of web services is in the wild. As the vulnerability is not found in a single product, but it has a large possible surface area. The exact ways of how this could be exploited are limitless. Here are some ideas on how httpoxy exploits could be used to attack unsuspecting website visitors.

 

Even if you visit a website that fetches parts of the content via a HTTP API on a vulnerable machine, this does not make you directly vulnerable to attacks.

The Httpoxy exploit does not give the attacker direct access to your browser, but enables the attacker to possibly modify how the server functions. This depends on the application.

 

Instead the attacker can make a request to the web server which will make a request to another service. With the exploit the attacker making the request can direct the outgoing request to a server they control.

 

Instead of receiving the expected data the server receives, the request can direct the feed to be received from the attackers server. At a minimum the results might be cosmetic, but having this kind of access can have significal implications as HTTP APIs are now used frequently for all sorts of activities.

 

The attacker could use httpoxy to gain access tokens or passwords to the legitimate endpoints opening doors for more havoc. Also, the web applications are likely to have been built so that they consider the API endpoint trustworthy. So while the attacker may have limited exposure to the system via this method directly, it can likely be further exploited with XSS and data injection.

 

Article source