Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Typical Vulnerabilities in Nginx Configurations and Mitigation Methods

E K
March 15, 2024
0
5

Typical Vulnerabilities in Nginx Configurations and Mitigation Methods

Focused exploration of prevalent vulnerabilities within Nginx configurations and the effective methods to mitigate them. This talk will guide you through identifying and addressing typical security flaws found in Nginx setups, from misconfigurations to overlooked security controls. Learn practical mitigation strategies to fortify your Nginx servers against potential threats.

E K

March 15, 2024
Tweet

More Decks by E K

See All by E K
Defence, Change My Mind!
shikarisenpai
0
5
Your hash is mine!
shikarisenpai
1
310
CRLF and OpenRedirect for Dummies
shikarisenpai
1
2.6k
CSTI for Dummies
shikarisenpai
0
1.1k
Chat with a hacker
shikarisenpai
0
2.1k

Featured

See All Featured
Build your cross-platform service in a week with App Engine
jlugia
226
17k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
11
1k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
14
1.5k
Raft: Consensus for Rubyists
vanstee
133
6.3k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
13
8.3k
Designing the Hi-DPI Web
ddemaree
276
33k
The Language of Interfaces
destraynor
151
23k
We Have a Design System, Now What?
morganepeng
44
6.8k
Building a Scalable Design System with Sketch
lauravandoore
457
32k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
358
22k
Building Effective Engineering Teams - LeadDev
addyosmani
31
1.9k
Rebuilding a faster, lazier Slack
samanthasiow
74
8.2k

Transcript

  1. Typical Vulnerabilities in Nginx Configurations Egor Karbutov, Information Security Engineer,

    Yandex Core Security Team

  2. Into

  3. Agenda 3 › Nginx? › Client-Side Vulnerabilities › Server-Side Vulnerabilities

    › Gixy tool

  4. Nginx? 4 ▎ Web-server! › Reverse proxy › Load balancer

    › HTTP cache › …

  5. Usage scheme 5 App Servers Datacenter

  6. More about Yandex load balance https://youtu.be/xcGa-q5MA0s Usage scheme 6 App

    Servers Datacenter L3 Balancer Service 1 Service 2 Service 3 / /api /admin /img / Load Balancer

  7. 7 Typical vulnerable configuration

  8. Client-Side Vulnerabilities

  9. Regular expression for Referer and Origin 9 ▎ Some developers

    use regular expressions to validate security headers. Handling Referer: › to get rid of ‘bad’ requests › To withstand CSRF and Clickjacking vulnerabilities CORS: › Legal SOP Bypass

  10. CORS Misconfiguration 10 example.com HTTP/1.1 200 OK Access-Control-Allow-Origin: https://evil.com Access-Control-Allow-Credentials:

    true evil.com 1 2 GET /secrets_files HTTP/1.1 Host: example.com Origin: https://evil.com Cookie: sessionid=1ccdb0041193c7115b3f7ecd991bc7efc82212d4 3 6 Preflight request 4 5 Response with data JS data extraction

  11. 11 ▎ Why? Because PCRE! › Regular expression for python:

    Typical vulnerable configuration ▎ The result of checking the regular expression in Nginx

  12. 12 How to fix? › First way › Second way

  13. 13 Other examples › Insert a value from the Origin

    header › Insert a value from the Referer header › Insert a wildcard value (browser won’t send request with users cookie) › Insert null

  14. How to fix? 14 ▎ Вe careful with regular expressions

    in Nginx You have to: › check regular expressions in the PCRE environment or refuse using regular expressions › check third-party domains › check wildcard domains and subdomains › check that user input does not fall into the add_header directive

  15. http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header Redefining of response headers 15 ▎ «There could be

    several “add_header” directives. These directives are inherited from the previous level if and only if there are no ” add_header” directives defined on the current level.» Nginx have a non-standard inheritance mechanism.

  16. 16 Typical vulnerable configuration

  17. 17 ▎ Root headers ▎ /new-headers ▎ /new-headers with Origin

    header

  18. https://github.com/openresty/headers-more-nginx-module#readme How to fix? 18 You may: › duplicate important

    headers › set important headers in one section › use headers-more-nginx-module

  19. None in valid_referrers directive 19 ▎ The ngx_http_referer_module module is

    used to block access to a site for requests with invalid values in the “Referer” header field. You can call the module by using a valid_referrers directive This module is not intended for: - building security - point blocking of clients

  20. 20 Typical vulnerable configuration

  21. 21 ▎ Request with valid referer ▎ Request without referer

    ▎ Request with evil referer

  22. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy https://html.spec.whatwg.org/multipage/origin.html 22 Some ways to send a request

    without referer ▎ Request with opaque origin ▎ Request from frame ▎ Request from https to http ▎ HTML meta tags ▎ Referrer Policy Headers

  23. How to fix? 23 › Don’t use “none” in the

    directive › Don’t use ngx_http_referer_module for security

  24. CLRF Injection 24 ▎ CRLF refers to the Carriage Return

    and Line Feed sequence of special characters Example symbols: › \r or \n › %0d%0a › 0x0D0x0A › %E5%98%8A%E5%98%8

  25. http://nginx.org/ru/docs/http/ngx_http_core_module.html#location CLRF Injection 25 The injection can take place through

    the $uri/$document_uri variable ▎ The $uri variable goes through normalization – URL Decode Can be used to attack: - a user - on a server behind Nginx

  26. 26 Typical vulnerable configuration ▎ As well as directive for

    proxy › proxy_set_header › proxy_pass

  27. 27 ▎ Request with valid referer ▎ Request without referer

  28. https://hackerone.com/reports/15492 https://hackerone.com/reports/15492 https://habr.com/ru/company/pt/blog/247709/ 28 ▎ BugBounty

  29. How to fix? 29 › Don’t use $uri variables, use

    $request_uri › Be careful with “add header” directives › Be careful in regular expressions, do not forget to exclude line breaks in them

  30. Open Redirect 30 ▎ Incorrect configuration allows redirecting a user

    to an arbitrary domain Vulnerable directive is rewrite If the specified regular expression matches the request URI, the URI is changed according to the replacement string. The vulnerability occurs when there is an incorrect concatenation/regular expression of the domain path inside rewrite

  31. 31 Typical vulnerable configuration

  32. How to fix? 32 › Be careful when using rewrite

    › Carefully use user input in rewrite regex rules

  33. Server-Side Vulnerabilities

  34. Alias traversal 34 ▎ The alias directive is used to

    change the path in location › Directive is commonly used to static files: on request “/i/top.gif ” the file will be taken from /data/w3/images/ top.gif

  35. 35 Typical vulnerable configuration

  36. https://hackerone.com/reports/455858 https://hackerone.com/reports/446330 https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/ 36 ▎ The following tests were performed

    to confirm this vulnerability ▎ BugBounty

  37. How to fix? 37 ▎ It’s quite easy! You have

    to use ‘/’ at the end of the parent prefixed location

  38. http://nginx.org/ru/docs/http/ngx_http_core_module.html#var_host Spoofing the Host request header 38 ▎ Incorrect configuration

    allows you to replace the Host header from the proxy to the backend side Where you can shoot yourself in the foot: › Generating links based on the Host header, redirects, uploading resources, etc. The difference is $http_host instead of $host: › $host - host in order of priority: the host name from the request string, or the host name from the Host header of the request header, or the name of the server corresponding to the request › $http_host - is directly taken from the request’s header "Host"

  39. 39 Typical vulnerable configuration

  40. How to fix? 40 › List the correct server names

    in the server_name directive › Always use the $host variable instead of $http_host › Always use the server default section

  41. SSRF 41 ▎ Incorrect configuration allows sending requests on behalf

    of Nginx Vulnerable directive is proxy_pass Vulnerability occurs when: › proxy_pass can be completely controlled › Lack of an internal directive in the proxying location › Unsafe redirection to the internal location

  42. 42 Typical vulnerable configuration ▎ Lack of the internal directive

    and fully controlled proxy_pass

  43. http://nginx.org/ru/docs/http/ngx_http_core_module.html#internal Unsafe redirect 43 Internal requests are: › requests redirected

    by the error_page, index, random_index and try_files directives › requests redirected using the "X-Accel-Redirect” field of the upstream server response › subqueries generated by the ”include virtual" command of the ngx_http_ssi_module module, directives of the ngx_http_addition_module module, as well as the auth_request and mirror directives › requests modified by the rewrite directive

  44. 44 Typical vulnerable configuration ▎ Insecure redirect ▎ Concatenation without

    a leading slash

  45. How to fix? 45 › For proxying location, use the

    internal directive › Uniquely identify the addresses of the proxied servers (for example, via mapping) › Check the correct concatenation of user input to the proxied host and handle the input

  46. Gixy 46 ▎ Tool for analyzing Nginx configuration files ›

    Written in Python › Developed by community and Yandex engineers › We use it inside Yandex › Fast, easy, free We are looking for contributors!

  47. Полезные ссылки 47 › Gixy - https://github.com/yandex/gixy › Nginx docs

    - http://nginx.org/ru/docs/ › Scalable configuration nginx – https://youtu.be/jf3wIN-FwW4 › Load balancing in Yandex - https://youtu.be/xcGa-q5MA0s

  48. Egor Karbutov Information Security Engineer, Yandex Core Security Team Thanks!

    [email protected] @ ShikariSenpai