Nginx misconfigurations
Last updated
Last updated
Nginx misconfigurations:
Missing root location
Unsafe variable use
Raw backend response reading
merge_slashes set to off
The root directive specifies the root folder for Nginx. In the above example, the root folder is /etc/nginx
which means that we can reach files within that folder. The above configuration does not have a location for / (location / {...})
, only for /hello.txt
. Because of this, the root
directive will be globally set, meaning that requests to /
will take you to the local path /etc/nginx
.
A request as simple as GET /nginx.conf
would reveal the contents of the Nginx configuration file stored in /etc/nginx/nginx.conf
. If the root is set to /etc
, a GET
request to /nginx/nginx.conf
would reveal the configuration file. In some cases it is possible to reach other configuration files, access-logs and even encrypted credentials for HTTP basic authentication.
Of the nearly 50,000 Nginx configuration files we collected, the most common root paths were the following:
With the Off-by-slash misconfiguration, it is possible to traverse one step up the path due to a missing slash. Orange Tsai made this technique well known in his Blackhat talk “Breaking Parser Logic!” In this talk he showed how a missing trailing slash in the location
directive combined with the alias
directive can make it possible to read the source code of the web application. What is less well known is that this also works with other directives like proxy_pass
. Let’s break down what is happening and why this works.
With an Nginx server running the following configuration that is reachable at server
, it might be assumed that only paths under http://apiserver/v1/
can be accessed.
When http://server/api/user
is requested, Nginx will first normalize the URL. It then looks to see if the prefix /api
matches the URL, which it does in this case. The prefix is then removed from the URL so the path /user
is left. This path is then added to the proxy_pass
URL which results in the final URL http://apiserver/v1//user
. Note that there is a double slash in the URL since the location directive does not end in a slash and the proxy_pass
URL path ends with a slash. Most web servers will normalize http://apiserver/v1//user
to http://apiserver/v1/user
, which means that even with this misconfiguration everything will work as expected and it could go unnoticed.
This misconfiguration can be exploited by requesting http://server/api../
which will result in Nginx requesting the URL http://apiserver/v1/../
that is normalized to http://apiserver/
. The impact that this can have depends on what can be reached when this misconfiguration is exploited. It could for example lead to the Apache server-status being exposed with the URL http://server/api../server-status
, or it could make paths accessible that were not intended to be publicly accessible.
One sign that a Nginx server has this misconfiguration is the server still returns the same response when a slash in the URL is removed. For example, if both http://server/api/user
and http://server/apiuser
return the same response, the server might be vulnerable. This would lead to the following requests being sent:
Some frameworks, scripts and Nginx configurations unsafely use the variables stored by Nginx. This can lead to issues such as XSS, bypassing HttpOnly-protection, information disclosure and in some cases even RCE.
With a configuration such as the following:
The main issue will be that Nginx will send any URL to the PHP interpreter ending in .php
even if the file doesn’t exist on disc. This is a common mistake in many Nginx configurations, as outlined in the “Pitfalls and Common Mistakes” document created by Nginx.
An XSS will occur if the PHP-script tries to define a base URL based on SCRIPT_NAME
;
Another misconfiguration related to Nginx variables is to use $uri
or $document_uri
instead of $request_uri
. $uri
and $document_uri
contain the normalized URI whereas the normalization
in Nginx includes URL decoding the URI. Volema found that $uri
is commonly used when creating redirects in the Nginx configuration which results in a CRLF injection.
An example of a vulnerable Nginx configuration is:
The new line characters for HTTP requests are \r (Carriage Return) and \n (Line Feed). URL-encoding the new line characters results in the following representation of the characters %0d%0a
. When these characters are included in a request like http://localhost/%0d%0aDetectify:%20clrf
to a server with the misconfiguration, the server will respond with a new header named Detectify
since the $uri variable contains the URL-decoded new line characters.
Learn more about the risks of CRLF injection and response splitting at https://blog.detectify.com/2019/06/14/http-response-splitting-exploitations-and-mitigations/.
In some cases, user-supplied data can be treated as an Nginx variable. It’s unclear why this may be happening, but it’s not that uncommon or easy to test for as seen in this H1 report. If we search for the error message, we can see that it is found in the SSI filter module, thus revealing that this is due to SSI.
One way to test for this is to set a referer header value:
We scanned for this misconfiguration and found several instances where a user could print the value of Nginx variables. The number of found vulnerable instances has declined which could indicate that this was patched.
With Nginx’s proxy_pass
, there’s the possibility to intercept errors and HTTP headers created by the backend. This is very useful if you want to hide internal error messages and headers so they are instead handled by Nginx. Nginx will automatically serve a custom error page if the backend answers with one. But what if Nginx does not understand that it’s an HTTP response?
If a client sends an invalid HTTP request to Nginx, that request will be forwarded as-is to the backend, and the backend will answer with its raw content. Then, Nginx won’t understand the invalid HTTP response and just forward it to the client. Imagine a uWSGI application like this:
And with the following directives in Nginx:
proxy_intercept_errors will serve a custom response if the backend has a response status greater than 300. In our uWSGI application above, we will send a 500 Error
which would be intercepted by Nginx.
proxy_hide_header is pretty much self explanatory; it will hide any specified HTTP header from the client.
If we send a normal GET
request, Nginx will return:
But if we send an invalid HTTP request, such as:
We will get the following response:
The merge_slashes directive is set to “on” by default which is a mechanism to compress two or more forward slashes into one, so ///
would become /
. If Nginx is used as a reverse-proxy and the application that’s being proxied is vulnerable to local file inclusion, using extra slashes in the request could leave room for exploit it. This is described in detail by Danny Robinson and Rotem Bar.
We found 33 Nginx configuration files with merge_slashes
set to “off”.
We have created a GitHub repository where you can use Docker to set up your own vulnerable Nginx test server with some of the misconfigurations discussed in this article and try finding them yourself!