CVE-2016-5386: HTTPoxy/Golang HTTProxy namespace conflict
This exercise covers the exploitation of HTTPoxy against an old version of Golang
In this exercise, we delve into CVE-2016-5386, a vulnerability known as "HTTPoxy," which affects older versions of the Golang HTTP library when used as a CGI. The issue arises because the web server creates environment variables for each client header, prefixing them with HTTP_ and capitalizing them. This mechanism inadvertently allows the creation of a HTTP_PROXY variable if a Proxy: header is injected, leading to potential exploitation.
To exploit this flaw, an attacker needs to add a Proxy: header with the URL of a system under their control. This will create an HTTP_PROXY environment variable in the CGI, causing the CGI to use the attacker’s proxy when making HTTP requests. This can lead to significant security breaches, especially if the client does not use TLS. The vulnerability has been mitigated in newer versions of Apache, which block the Proxy: header altogether.