GitHub – yandex/gixy: Nginx configuration static analyzer
Posted by jpluimers on 2018/10/26
[WayBack] GitHub – yandex/gixy: Nginx configuration static analyzer
Gixy is a tool to analyze Nginx configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.
…
Right now Gixy can find:
- [ssrf] Server Side Request Forgery
- [http_splitting] HTTP Splitting
- [origins] Problems with referrer/origin validation
- [add_header_redefinition] Redefining of response headers by “add_header” directive
- [host_spoofing] Request’s Host header forgery
- [valid_referers] none in valid_referers
- [add_header_multiline] Multiline response headers
- [alias_traversal] Path traversal via misconfigured alias
You can find things that Gixy is learning to detect at Issues labeled with “new plugin”
This helps you prevent an nginx configuration issue that can server too many static content by using ../
in the web request which got a lot of attention last week, but was in fact already found during 2016 HCTF by Aklis, and presented by Orange Tsai (twitter/github/blog) various times in 2018, including [WayBack] hack.lu 2018.
.
Related:
- [WayBack] htctf 你没走过的套路 – Th1s’s Bl0g which has a very good Google Translate
- Earlier presentation by Orange Tsai at blackhat 2018 USA: [WayBack] us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf
- [WayBack] x0rz en Twitter: “Nginx off-by-slash vulnerability, cool trick presented by @orange_8361 at #hacklu… “
- [WayBack] Orange Tsai on Twitter: “Be careful the Nginx configuration, or use https://github.com/yandex/gixy to scan your configuration!… “
- [WayBack] Orange: This is 🍊 speaking
- [WayBack] Talks – hack.lu 2018
- hack.lu 2018 videos are being uploaded at https://www.youtube.com/channel/UCI6B0zYvK-7FdM0Vgh3v3Tg/videos
- [WaBack] Hier ein Hackerterrorcybercyber gegen nginx. twitter… – Kristian Köhntopp – Google+
–jeroen
Leave a Reply