HTTPoxy Poses New Threats For Web Site Owners

A recent article in Naked Security caught my eye the other day about a new web site vulnerability called HTTPoxy.  This stands for HTTP requests and poisoned proxy settings.  Most web site use a technology called Common Gateway Interface (CGI) to run applications such as site search, collect information submitted on web forms, display comments, run a forum, or to display database queries such as pricing in a usable form on a web page.

HTTPoxyThe technical details of this vulnerability are explained in the Naked Security article, so I won’t repeat them here.  According to the HTTPoxy website, the solution is to block HTTP proxy requests before they run in the web application, and they have instructions on how to accomplish that on their site.

The best and easiest solution is to run your website under HTTPS.  This requires the installation of an SSL security certificate to your website.  We just did this for a website we manage, and it was easily accomplished through the host, GoDaddy, for about $60 per year.  Or if you are frugal and technically savvy, LetsEncrypt or FreeSSL may be the solution you prefer.  This exploit will not work on an HTTPS website.

One of my current recommendations is to encrypt everything.  Any website owner ought to convert their site to HTTPS. The added benefit to your web site visitors is that their session is encrypted and protected from prying eyes and man-in-the-middle exploits, so this is basically just good operational security and great customer service.


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.