Nginxproxy - An Open Source WAF to Protect against Malicious File Uploads

Page 1

Nginxproxy - An Open Source WAF to Protect against Malicious File Uploads This project seeks to solve vulnerabilities caused by uploading unwanted files to web applications with the help of Nginx's reverse proxy feature. Many modern web applications implement some variation of a file uploading system. Such systems can introduce vulnerabilities to the web application by having the user upload a file that will damage the server (a Web Shell) or a file that malicious parties could use to harm the users (an HTML file with scripts, for example).


Theory Nginx's reverse proxy works by reading a configuration file with proxy rules and redirecting incoming requests to the address in the configuration file. These rules require reading from top to bottom and choosing the most specific rule. So, if example.com/help/contact-us is requested and the configuration contains the following rules:


Then the request will be directed to http://real.server.com/help/contact-us We can create a configuration file on a reverse proxy server that points explicitly to every page on the original server using this feature. We can implement a rule with whitelisted file extensions using regex to allow users to access uploaded files. And send the rest to a generic "404" page.

Note: This only blocks the uploaded file's access, and not the upload itself.


The Configuration File Following the theory, we create a configuration file with the following structure: ●

Nginx Defaults (settings that every Nginx configuration file must include).

Specific proxy rules for every page on the original server Regex.

Whitelist for allowed file extensions.

catch-all to discover all unrecognized requests and redirect them to a "404" page.


Issues We have potentially found an end to all web shells if the theory is correct, right? Things are a bit more complicated than simple sites with URLs pointing to files on the server.

In the real world, most web applications use rewrite rules to interact with dynamic pages. So, the solution has to take that into account and potentially read the web-server's config file and create matching proxy rules. The opensource project: https://github.com/KomodoResearch/NginProx/


Komodo Consulting specializes in Black BoxPenetration Testing and Red-Team Excercises, Cyber Threat Intelligence, Incident Response and Application Security, serving Fortune 500 companies in Europe, US and Israel. Komodo was founded by leading consulting experts with decades of experience. Our team includes seasoned security specialists with worldwide information security experience along with military intelligence experts. Komodo provides services across many verticals including banking, insurance, hi-tech, automotive, energy, communication, critical infrastructures, healthcare, and international mega-brands.


TALK TO OUR REPRESENTATIVES USA: +1 917 5085546 UK: +44 20 37694351 ISR: +972 9 955 5565 Email: info@komodosec.com Website: https://www.komodosec.com/contact


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.