Skip to content
Nuclei Templates

Open Proxy to Other Web Ports via Proxy's localhost Interface

ID: open-proxy-localhost

Severity: high

Author: sullo

Tags: exposure,config,proxy,misconfig,fuzz

Description

Section titled “Description”

The host is configured as a proxy which allows access to web ports on the host’s internal interface.

YAML Source

Section titled “YAML Source”
id: open-proxy-localhost


info:
  name: Open Proxy to Other Web Ports via Proxy's localhost Interface
  author: sullo
  severity: high
  description: The host is configured as a proxy which allows access to web ports on the host's internal interface.
  remediation: Disable the proxy or restrict configuration to only allow access to approved hosts/ports.
  reference:
    - https://blog.projectdiscovery.io/abusing-reverse-proxies-internal-access/
    - https://en.wikipedia.org/wiki/Open_proxy
    - https://www.acunetix.com/vulnerabilities/web/apache-configured-to-run-as-proxy/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cwe-id: CWE-441
  metadata:
    max-request: 6
  tags: exposure,config,proxy,misconfig,fuzz


http:
  - raw:
      - |+
        GET / HTTP/1.1
        Host: {{Hostname}}


      - |+
        GET http://somethingthatdoesnotexist/ HTTP/1.1
        Host: somethingthatdoesnotexist


      - |+
        GET http://127.0.0.1/ HTTP/1.1
        Host: 127.0.0.1


      - |+
        GET https://127.0.0.1/ HTTP/1.1
        Host: 127.0.0.1


      - |+
        GET http://localhost/ HTTP/1.1
        Host: localhost


      - |+
        GET https://localhost/ HTTP/1.1
        Host: localhost


    unsafe: true
    stop-at-first-match: true
    matchers:
      - type: dsl
        condition: or
        dsl:
          - (!contains(body_1, "<title>IIS7</title>") && !contains(body_2, "<title>IIS7</title>")) && (contains(body_3, "<title>IIS7</title>") || contains(body_4, "<title>IIS7</title>") || contains(body_5, "<title>IIS7</title>") || contains(body_6, "<title>IIS7</title>"))
          - (!contains(body_1, "503 Service Unavailable") && !contains(body_2, "503 Service Unavailable")) && (contains(body_3, "503 Service Unavailable") || contains(body_4, "503 Service Unavailable") || contains(body_5, "503 Service Unavailable") || contains(body_6, "503 Service Unavailable"))
          - (!contains(body_1, "default welcome page") && !contains(body_2, "default welcome page")) && (contains(body_3, "default welcome page") || contains(body_4, "default welcome page") || contains(body_5, "default welcome page") || contains(body_6, "default welcome page"))
          - (!contains(body_1, "IIS Windows Server") && !contains(body_2, "IIS Windows Server")) && (contains(body_3, "IIS Windows Server") || contains(body_4, "IIS Windows Server") || contains(body_5, "IIS Windows Server") || contains(body_6, "IIS Windows Server"))
          - (!contains(body_1, "Microsoft Azure App") && !contains(body_2, "Microsoft Azure App")) && (contains(body_3, "Microsoft Azure App") || contains(body_4, "Microsoft Azure App") || contains(body_5, "Microsoft Azure App") || contains(body_6, "Microsoft Azure App"))
          - (!contains(body_1, "Welcome to IIS") && !contains(body_2, "Welcome to IIS")) && (contains(body_3, "Welcome to IIS") || contains(body_4, "Welcome to IIS") || contains(body_5, "Welcome to IIS") || contains(body_6, "Welcome to IIS"))
          - (!contains(body_1, "Welcome to Microsoft Windows") && !contains(body_2, "Welcome to Microsoft Windows")) && (contains(body_3, "Welcome to Microsoft Windows") || contains(body_4, "Welcome to Microsoft Windows") || contains(body_5, "Welcome to Microsoft Windows") || contains(body_6, "Welcome to Microsoft Windows"))
          - (!contains(body_1, "Welcome to Windows") && !contains(body_2, "Welcome to Windows")) && (contains(body_3, "Welcome to Windows") || contains(body_4, "Welcome to Windows") || contains(body_5, "Welcome to Windows") || contains(body_6, "Welcome to Windows"))
          - (!contains(body_1, "Welcome to Windows") && !contains(body_2, "Welcome to Windows")) && (contains(body_3, "Welcome to Windows") || contains(body_4, "Welcome to Windows") || contains(body_5, "Welcome to Windows") || contains(body_6, "Welcome to Windows"))
          - (!contains(body_1, "It works") && !contains(body_2, "It works")) && (contains(body_3, "It works") || contains(body_4, "It works") || contains(body_5, "It works") || contains(body_6, "It works"))
# digest: 4a0a0047304502203a0cc8770a38f2c13df7996171ec3bcd5ab9cc13d6c132daf9a4424ec763c358022100ba19828892fe8e9d10f5e7d9399aa5c0df04961672aa0581eb4ed60840aad12f:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/misconfiguration/proxy/open-proxy-localhost.yaml"

View on Github