/etc/nginx
which means that we can reach files within that folder. The above configuration does not have a location for / (location / {...})
, only for /hello.txt
. Because of this, the root
directive will be globally set, meaning that requests to /
will take you to the local path /etc/nginx
.GET /nginx.conf
would reveal the contents of the Nginx configuration file stored in /etc/nginx/nginx.conf
. If the root is set to /etc
, a GET
request to /nginx/nginx.conf
would reveal the configuration file. In some cases it is possible to reach other configuration files, access-logs and even encrypted credentials for HTTP basic authentication.%0d%0a
. When these characters are included in a request like http://localhost/%0d%0aDetectify:%20clrf
to a server with the misconfiguration, the server will respond with a new header named Detectify
since the $uri variable contains the URL-decoded new line characters.proxy_pass
, there’s the possibility to intercept errors and HTTP headers created by the backend. This is very useful if you want to hide internal error messages and headers so they are instead handled by Nginx. Nginx will automatically serve a custom error page if the backend answers with one. But what if Nginx does not understand that it’s an HTTP response?500 Error
which would be intercepted by Nginx.GET
request, Nginx will return:///
would become /
. If Nginx is used as a reverse-proxy and the application that’s being proxied is vulnerable to local file inclusion, using extra slashes in the request could leave room for exploit it. This is described in detail by Danny Robinson and Rotem Bar.merge_slashes
set to “off”.map
is used for some kind of authorization control. Simplified example could look like:default value sets the resulting value if the source value matches none of the specified variants. When default is not specified, the default resulting value will be an empty string.
default
value. So malefactor can bypass this "authorization control" simply accessing a non existent case inside /map-poc
like https://targethost.com/map-poc/another-private-area
.proxy_pass
and internal
directivesproxy_pass
directive can be used to redirect internally requests to other servers internal or external.
The internal
directive is used to make it clear to Nginx that the location can only be accessed internally.proxy_pass
endpoint (http://backend:9999
in this case) that whose content is not going to be checked by nginx.proxy_pass
was pointing to a specific path such as http://backend:9999/socket.io
the connection will be stablished with http://backend:9999
so you can contact any other path inside that internal endpoint. So it doesn't matter if a path is specified in the URL of proxy_pass.