Typical Vulnerabilities in Nginx Configurations and Mitigation Methods

Transcript

1. Typical Vulnerabilities in Nginx Configurations Egor Karbutov, Information Security Engineer,

   Yandex Core Security Team

2. Into

3. Agenda 3 › Nginx? › Client-Side Vulnerabilities › Server-Side Vulnerabilities

   › Gixy tool

4. Nginx? 4 ▎ Web-server! › Reverse proxy › Load balancer

   › HTTP cache › …

5. Usage scheme 5 App Servers Datacenter

6. More about Yandex load balance https://youtu.be/xcGa-q5MA0s Usage scheme 6 App

   Servers Datacenter L3 Balancer Service 1 Service 2 Service 3 / /api /admin /img / Load Balancer

7. 7 Typical vulnerable configuration

8. Client-Side Vulnerabilities

9. Regular expression for Referer and Origin 9 ▎ Some developers

   use regular expressions to validate security headers. Handling Referer: › to get rid of ‘bad’ requests › To withstand CSRF and Clickjacking vulnerabilities CORS: › Legal SOP Bypass

10. CORS Misconfiguration 10 example.com HTTP/1.1 200 OK Access-Control-Allow-Origin: https://evil.com Access-Control-Allow-Credentials:

    true evil.com 1 2 GET /secrets_files HTTP/1.1 Host: example.com Origin: https://evil.com Cookie: sessionid=1ccdb0041193c7115b3f7ecd991bc7efc82212d4 3 6 Preflight request 4 5 Response with data JS data extraction

11. 11 ▎ Why? Because PCRE! › Regular expression for python:

    Typical vulnerable configuration ▎ The result of checking the regular expression in Nginx

12. 12 How to fix? › First way › Second way

13. 13 Other examples › Insert a value from the Origin

    header › Insert a value from the Referer header › Insert a wildcard value (browser won’t send request with users cookie) › Insert null

14. How to fix? 14 ▎ Вe careful with regular expressions

    in Nginx You have to: › check regular expressions in the PCRE environment or refuse using regular expressions › check third-party domains › check wildcard domains and subdomains › check that user input does not fall into the add_header directive

15. http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header Redefining of response headers 15 ▎ «There could be

    several “add_header” directives. These directives are inherited from the previous level if and only if there are no ” add_header” directives defined on the current level.» Nginx have a non-standard inheritance mechanism.

16. 16 Typical vulnerable configuration

17. 17 ▎ Root headers ▎ /new-headers ▎ /new-headers with Origin

    header

18. https://github.com/openresty/headers-more-nginx-module#readme How to fix? 18 You may: › duplicate important

    headers › set important headers in one section › use headers-more-nginx-module

19. None in valid_referrers directive 19 ▎ The ngx_http_referer_module module is

    used to block access to a site for requests with invalid values in the “Referer” header field. You can call the module by using a valid_referrers directive This module is not intended for: - building security - point blocking of clients

20. 20 Typical vulnerable configuration

21. 21 ▎ Request with valid referer ▎ Request without referer

    ▎ Request with evil referer

22. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy https://html.spec.whatwg.org/multipage/origin.html 22 Some ways to send a request

    without referer ▎ Request with opaque origin ▎ Request from frame ▎ Request from https to http ▎ HTML meta tags ▎ Referrer Policy Headers

23. How to fix? 23 › Don’t use “none” in the

    directive › Don’t use ngx_http_referer_module for security

24. CLRF Injection 24 ▎ CRLF refers to the Carriage Return

    and Line Feed sequence of special characters Example symbols: › \r or \n › %0d%0a › 0x0D0x0A › %E5%98%8A%E5%98%8

25. http://nginx.org/ru/docs/http/ngx_http_core_module.html#location CLRF Injection 25 The injection can take place through

    the $uri/$document_uri variable ▎ The $uri variable goes through normalization – URL Decode Can be used to attack: - a user - on a server behind Nginx

26. 26 Typical vulnerable configuration ▎ As well as directive for

    proxy › proxy_set_header › proxy_pass

27. 27 ▎ Request with valid referer ▎ Request without referer

28. https://hackerone.com/reports/15492 https://hackerone.com/reports/15492 https://habr.com/ru/company/pt/blog/247709/ 28 ▎ BugBounty

29. How to fix? 29 › Don’t use $uri variables, use

    $request_uri › Be careful with “add header” directives › Be careful in regular expressions, do not forget to exclude line breaks in them

30. Open Redirect 30 ▎ Incorrect configuration allows redirecting a user

    to an arbitrary domain Vulnerable directive is rewrite If the specified regular expression matches the request URI, the URI is changed according to the replacement string. The vulnerability occurs when there is an incorrect concatenation/regular expression of the domain path inside rewrite

31. 31 Typical vulnerable configuration

32. How to fix? 32 › Be careful when using rewrite

    › Carefully use user input in rewrite regex rules

33. Server-Side Vulnerabilities

34. Alias traversal 34 ▎ The alias directive is used to

    change the path in location › Directive is commonly used to static files: on request “/i/top.gif ” the file will be taken from /data/w3/images/ top.gif

35. 35 Typical vulnerable configuration

36. https://hackerone.com/reports/455858 https://hackerone.com/reports/446330 https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/ 36 ▎ The following tests were performed

    to confirm this vulnerability ▎ BugBounty

37. How to fix? 37 ▎ It’s quite easy! You have

    to use ‘/’ at the end of the parent prefixed location

38. http://nginx.org/ru/docs/http/ngx_http_core_module.html#var_host Spoofing the Host request header 38 ▎ Incorrect configuration

    allows you to replace the Host header from the proxy to the backend side Where you can shoot yourself in the foot: › Generating links based on the Host header, redirects, uploading resources, etc. The difference is $http_host instead of $host: › $host - host in order of priority: the host name from the request string, or the host name from the Host header of the request header, or the name of the server corresponding to the request › $http_host - is directly taken from the request’s header "Host"

39. 39 Typical vulnerable configuration

40. How to fix? 40 › List the correct server names

    in the server_name directive › Always use the $host variable instead of $http_host › Always use the server default section

41. SSRF 41 ▎ Incorrect configuration allows sending requests on behalf

    of Nginx Vulnerable directive is proxy_pass Vulnerability occurs when: › proxy_pass can be completely controlled › Lack of an internal directive in the proxying location › Unsafe redirection to the internal location

42. 42 Typical vulnerable configuration ▎ Lack of the internal directive

    and fully controlled proxy_pass

43. http://nginx.org/ru/docs/http/ngx_http_core_module.html#internal Unsafe redirect 43 Internal requests are: › requests redirected

    by the error_page, index, random_index and try_files directives › requests redirected using the "X-Accel-Redirect” field of the upstream server response › subqueries generated by the ”include virtual" command of the ngx_http_ssi_module module, directives of the ngx_http_addition_module module, as well as the auth_request and mirror directives › requests modified by the rewrite directive

44. 44 Typical vulnerable configuration ▎ Insecure redirect ▎ Concatenation without

    a leading slash

45. How to fix? 45 › For proxying location, use the

    internal directive › Uniquely identify the addresses of the proxied servers (for example, via mapping) › Check the correct concatenation of user input to the proxied host and handle the input

46. Gixy 46 ▎ Tool for analyzing Nginx configuration files ›

    Written in Python › Developed by community and Yandex engineers › We use it inside Yandex › Fast, easy, free We are looking for contributors!

47. Полезные ссылки 47 › Gixy - https://github.com/yandex/gixy › Nginx docs

    - http://nginx.org/ru/docs/ › Scalable configuration nginx – https://youtu.be/jf3wIN-FwW4 › Load balancing in Yandex - https://youtu.be/xcGa-q5MA0s

48. Egor Karbutov Information Security Engineer, Yandex Core Security Team Thanks!

    [email protected] @ ShikariSenpai