DEV Community

Cover image for Path traversal via alias misconfiguration in Nginx
Blue Byte
Blue Byte

Posted on

Path traversal via alias misconfiguration in Nginx

Nginx is undoubtedly one of the most widely used web servers (which also has other features such as reverse proxying) today. Therefore, as hackers, we have an obligation to become familiar with this technology and explore its particularities. But today we will focus specifically on a security misconfiguration flaw in the alias directive, which defines an alternative path for the same specified route.

location /images/ {
    alias /var/www/app/img/;
}
Enter fullscreen mode Exit fullscreen mode

If the second slash is not inserted in the location field value, it will be possible to request sensitive files by traversing the file system, accessing routes such as /images../config.php.

In a real example, I found such a misconfiguration and then fuzzed directories as follows and found some juicy files:

ffuf -u http://redacted.com/assets../FUZZ -w raft-medium-files.txt
Enter fullscreen mode Exit fullscreen mode

403 Bypass

In the example below, you would simply need to access the /admin/ route (with the slash at the end) to bypass access controls that would return 403 Forbidden.

location = /admin {
    deny all;
}
Enter fullscreen mode Exit fullscreen mode

Another very interesting trick about Nginx proxying traffic to Tomcat, is the possibility of taking advantage of open redirections, which occur because the content after the first slash in the URI is reflected in the Location header.

http://redacted.com//evil.com/..;/css
Enter fullscreen mode Exit fullscreen mode

Easy, isn't it?
Next time you have the opportunity to test an Nginx server, stay alert!

👋 While you are here

Reinvent your career. Join DEV.

It takes one minute and is worth it for your career.

Get started

Top comments (0)

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay