|
|
|
|
|
|
by schwag09
1576 days ago
|
|
|
This article briefly mentions a very useful analysis tool for NGINX configuration: Gixy. It looks for the following misconfigurations[0]: - [ssrf] Server Side Request Forgery
- [http_splitting] HTTP Splitting
- [origins] Problems with referrer/origin validation
- [add_header_redefinition] Redefining of response headers by "add_header" directive
- [host_spoofing] Request's Host header forgery
- [valid_referers] none in valid_referers
- [add_header_multiline] Multiline response headers
- [alias_traversal] Path traversal via misconfigured alias
The alias traversal gotcha is one of the most pernicious I've seen. A single, seemingly innocuous '/' is the difference between a path traversal vulnerability or not.[0]: https://github.com/yandex/gixy#what-it-can-do |
|
|