Nginxでは設定に不備があるとSSRFやHTTP Response Splittingなどの脆弱性が生じる。
例えば以下のような感じだとHTTP Response Splittingが生じる。
server {
listen 6789 default;
location ~ /v1/((?<token>[^.]*)\.json)?$ {
add_header X-Action $token;
return 200 "OK";
}
}
$ curl localhost:6789/v1/test%0d%0aCookie:%20test.json
HTTP/1.1 200 OK
Server: nginx/1.13.12
Date: Sat, 02 Jun 2018 14:42:38 GMT
Content-Type: application/json
Content-Length: 2
Connection: keep-alive
X-Action: test
Cookie: test
OK
gixyを使うとこのような脆弱性を検査してくれる。
$ gixy /path/to/nginx.conf
==================== Results ===================
>> Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Severity: HIGH
Description: Using variables that can contain "\n" or "\r" may lead to http injection.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md
Reason: At least variable "$token" can contain "\n"
Pseudo config:
server {
location ~ /v1/((?<token>[^.]*)\.json)?$ {
add_header X-Action $token;
}
}
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 1
便利なので使っていきましょう。