Nginxでは設定に不備があるとSSRFやHTTP Response Splittingなどの脆弱性が生じる。
例えば以下のような感じだとHTTP Response Splittingが生じる。

server {
    listen 6789 default;


    location ~ /v1/((?<token>[^.]*)\.json)?$ {
        add_header X-Action $token;
        return 200 "OK";
    }
}
$ curl localhost:6789/v1/test%0d%0aCookie:%20test.json

HTTP/1.1 200 OK
Server: nginx/1.13.12
Date: Sat, 02 Jun 2018 14:42:38 GMT
Content-Type: application/json
Content-Length: 2
Connection: keep-alive
X-Action: test
Cookie: test

OK

gixyを使うとこのような脆弱性を検査してくれる。

$ gixy /path/to/nginx.conf

==================== Results ===================

>> Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Severity: HIGH
Description: Using variables that can contain "\n" or "\r" may lead to http injection.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md
Reason: At least variable "$token" can contain "\n"
Pseudo config:

server {

	location ~ /v1/((?<token>[^.]*)\.json)?$ {
		add_header X-Action $token;
	}
}

==================== Summary ===================
Total issues:
    Unspecified: 0
    Low: 0
    Medium: 0
    High: 1

便利なので使っていきましょう。

nginx  gixy