Tools for testing HTTPoxy vulnerability
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


I'm developing tools to test for HTTPoxy vulnerability. The tool finds CGI directory, adds a temporary file that returns the HTTP_PROXY environment variable. The script then sends a GET request to this CGI file and sets the "proxy" header. If the environment variable is affected, then you're vulnerable. Checks for this vulnerability on Apache web servers.


os, urllib2, argparse


usage: [-h] [-b] [-c CONF]

optional arguments:

-h, --help show this help message and exit

-b, --boolean Script returns 1 if server is vulnerable, 0 if server is not vulnerable

-c CONF, --config CONF Enter httpd.conf address

Sample Output

$sudo python

[+] Initiating Test

[?] Enter httpd.conf address: [Default: /etc/httpd/conf/httpd.conf]

[+] httpd.conf address was set to /etc/httpd/conf/httpd.conf

[+] Reading CGI-Directory Address from httpd.conf

[+] CGI-Directory was set to /var/www/cgi-bin/

[+] Initiating TestSuite

[+] Creating CGI File

[+] Setting Permissions

[+] Running Tests

[+] Sending Get Request to with proxy header set to

[+] Testing proxy in response

[+] Proxy was set in response

[-] ===== Server Vulnerable =====

[+] Cleaning up

[+] Done