Widely used web server’s flexibility means mistakes all too easy to make
Security researchers at Detectify have discovered a series of middleware misconfigurations in Nginx that could leave web applications vulnerable to attack.
Lightweight, modular, open source, and with a user-friendly configuration format, Nginx is one of the most widely-used web servers, powering one in three websites globally.
However Detectify, which maintains an automated web application scanner, says this very flexibility makes it easy to make mistakes that could leave a site open to attack.
Late last year, the Detectify team analyzed almost 50,000 unique Nginx configuration files downloaded from GitHub with Google BigQuery, finding a number of possible misconfigurations that could leave web applications open to attack.
These issues included issuing root location, unsafe variable use, raw backend response reading, and merge slashes set to off.
Proof of concepts
And, says Frans Rosen, the company’s co-founder and security advisor, many similar misconfigurations have been spotted in the wild.
“A lot of companies nowadays use bug bounties as a way for external security researchers to report security bugs to the company,” Rosen told The Daily Swig.
“This allowed us to identify some of these misconfigurations on live targets and make proof of concepts showing how we utilized the misconfiguration to serve our own content on their main domain.”
The team says it has seen an increasing number of hosts using proxy solutions for static content against Google Cloud Storage and AWS S3 on /media/, /images/, /sitemap/, and similar locations, with weak regular expressions allowing HTTP splitting to happen.
This bug, says Detectify, was found in the wild multiple times on bug bounty programs.
The team also examined other possible misconfigurations that allowed for controlling of a proxied host, accessing internal Nginx blocks, and accessing localhost-restricted Nginx blocks.
Rosen says many of these issues weren’t picked up by Gixy, the Nginx configuration static analyzer created by Yandex, when scanning the configuration files.
So how safe is middleware generally, and Nginx in particular?
“The main idea is that it allows a lot of flexibility and control by utilizing the webserver like this. However due to the fact that it’s really common, these misconfigurations will happen,” says Rosen.
“There are some things when configuring Nginx that makes it easy to do wrong. For example, using the variable $uri is dangerous, but $request_uri is safe.
“Those things are very easy to do wrong, and it’s not clear when using one or the other if you are okay or not.”