Skip to content

Instantly share code, notes, and snippets.

Last active Mar 26, 2019
What would you like to do?
PHP Httpoxy example

A simple example of the httpoxy exploit. This example uses HTTP_AUTH_PASSWORD instead of HTTP_PROXY because PHP blacklisted the latter.


  1. Install Caddy.
  2. Install PHP and start php-fpm on port 9000.
  3. Copy Caddyfile and index.php from this example into a directory.
  4. Start Caddy: just type caddy in the directory from the last step.


If you run curl localhost:8080 The server will output the value of HTTP_AUTH_PASSWORD we set in the Caddyfile. If you pass the Auth-Password header it will override the environment variable.

» curl localhost:8080 
string(9) "secret123"
» curl -H 'Auth-Password: hunter2' localhost:8080
string(7) "hunter2"
fastcgi / php {
env HTTP_AUTH_PASSWORD secret123
rewrite {
regexp .*
ext /
to /index.php?{query}
log stdout
errors stdout
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment