From e8744406f98155c0ebb0a80e50ac6f6496f4d0cf Mon Sep 17 00:00:00 2001 From: irotem <rotemb@gmail.com> Date: Sun, 4 Oct 2020 12:42:51 +0300 Subject: [PATCH] Added traversal bypass of nginx/alb --- Directory Traversal/README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Directory Traversal/README.md b/Directory Traversal/README.md index 3993305..1f316a3 100644 --- a/Directory Traversal/README.md +++ b/Directory Traversal/README.md @@ -12,6 +12,7 @@ * [Bypass "../" with ";"](#bypass--with-) * [Double URL encoding](#double-url-encoding) * [UNC Bypass](#unc-bypass) + * [NGINX/ALB Bypass](#nginxalb-bypass) * [Path Traversal](#path-traversal) * [Interesting Linux files](#interesting-linux-files) * [Interesting Windows files](#interesting-windows-files) @@ -89,6 +90,14 @@ An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software \\localhost\c$\windows\win.ini ``` +### NGINX/ALB Bypass + +NGINX in certain configurations and ALB can block traversal attacks in the route, For example: +```http://nginx-server/../../``` will return a 400 bad request. + +To bypass this behaviour just add forward slashes in front of the url: +```http://nginx-server////////../../``` + ## Path Traversal @@ -178,3 +187,4 @@ The following log files are controllable and can be included with an evil payloa * [Path Traversal Cheat Sheet: Windows](https://gracefulsecurity.com/path-traversal-cheat-sheet-windows/) * [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack) * [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html) +* [NGINX may be protecting your applications from traversal attacks without you even knowing](https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d?source=friends_link&sk=e9ddbadd61576f941be97e111e953381)