Nginx is undoubtedly one of the most widely used web servers (which also has other features such as reverse proxying) today. Therefore, as hackers, we have an obligation to become familiar with this technology and explore its particularities. But today we will focus specifically on a security misconfiguration flaw in the alias directive, which defines an alternative path for the same specified route.
location /images/ {
alias /var/www/app/img/;
}
If the second slash is not inserted in the location field value, it will be possible to request sensitive files by traversing the file system, accessing routes such as /images../config.php
.
In a real example, I found such a misconfiguration and then fuzzed directories as follows and found some juicy files:
ffuf -u http://redacted.com/assets../FUZZ -w raft-medium-files.txt
403 Bypass
In the example below, you would simply need to access the /admin/
route (with the slash at the end) to bypass access controls that would return 403 Forbidden.
location = /admin {
deny all;
}
Another very interesting trick about Nginx proxying traffic to Tomcat, is the possibility of taking advantage of open redirections, which occur because the content after the first slash in the URI is reflected in the Location header.
http://redacted.com//evil.com/..;/css
Easy, isn't it?
Next time you have the opportunity to test an Nginx server, stay alert!
Top comments (0)