Nginx is the web server powering one-third of all websites in the world. Detectify Crowdsource has detected some common Nginx misconfigurations that, if left unchecked, leave your web site vulnerable to attack. Here’s how to find some of the most common misconfigurations before an attacker exploits them.
Apache Tomcat resources Apache Tomcat is the world's most widely used web application server, with over one million downloads per month and over 70% penetration in the enterprise datacenter. Apache Tomcat is used to power everything from simple one server sites to large enterprise networks. The following is a collection of Apache Tomcat resources that will help you identify, monitor. Apache is the most commonly used Web server on Linux systems. Web servers are used to serve Web pages requested by client computers. Clients typically request and view Web pages using Web browser applications such as Firefox, Opera, Chromium, or Internet Explorer.
There are the many web servers but currently, the most popular web servers are Apache web servers, which come as a software stack including Linux, Apache, MySQL, and PHP (LAMP). Microsoft IIS (Internet Information Server. See technologies overview for explanations on the methodologies used in the surveys. How to read the diagram: Apache is used by 34.0% of all the websites whose web server we know. Apache is used by 29.3% of all the websites whose web server we know and that rank in the top 1,000,000.
UPDATE: Detectify Security Advisor, Frans Rosen, published some research that deep dives into some novel web server misconfigurations on Detectify Labs in his post: Middleware, middleware everywhere – and lots of misconfigurations to fix
Nginx is one of the most commonly used web servers on the Internet due to it being lightweight, modular, and having a user-friendly configuration format. At Detectify, we scan for misconfigurations and security vulnerabilities in Nginx for thousands of customers. Our Crowdsource network regularly submits new and interesting vulnerabilities affecting Nginx that we then later implement as a security test into our web application scanner.
We analyzed almost 50,000 unique Nginx configuration files downloaded from GitHub with Google BigQuery. With this data, we could find out how common different misconfigurations are.
This article will shine some light on the following Nginx misconfigurations:
- Missing root location
- Unsafe variable use
- Raw backend response reading
- merge_slashes set to off
Missing root location;
The root directive specifies the root folder for Nginx. In the above example, the root folder is /etc/nginx which means that we can reach files within that folder. The above configuration does not have a location for / (location / {...}), only for /hello.txt. Because of this, the root directive will be globally set, meaning that requests to / will take you to the local path /etc/nginx.
A request as simple as GET /nginx.conf would reveal the contents of the Nginx configuration file stored in /etc/nginx/nginx.conf. If the root is set to /etc, a GET request to /nginx/nginx.conf would reveal the configuration file. In some cases it is possible to reach other configuration files, access-logs and even encrypted credentials for HTTP basic authentication.
Of the nearly 50,000 Nginx configuration files we collected, the most common root paths were the following:
Off-By-Slash
With the Off-by-slash misconfiguration, it is possible to traverse one step up the path due to a missing slash. Orange Tsai made this technique well known in his Blackhat talk “Breaking Parser Logic!” In this talk he showed how a missing trailing slash in the location directive combined with the alias directive can make it possible to read the source code of the web application. What is less well known is that this also works with other directives like proxy_pass. Let’s break down what is happening and why this works.
With an Nginx server running the following configuration that is reachable at server, it might be assumed that only paths under http://apiserver/v1/ can be accessed.
When http://server/api/user is requested, Nginx will first normalize the URL. It then looks to see if the prefix /api matches the URL, which it does in this case. The prefix is then removed from the URL so the path /user is left. This path is then added to the proxy_pass URL which results in the final URL http://apiserver/v1//user. Note that there is a double slash in the URL since the location directive does not end in a slash and the proxy_pass URL path ends with a slash. Most web servers will normalize http://apiserver/v1//user to http://apiserver/v1/user, which means that even with this misconfiguration everything will work as expected and it could go unnoticed.
This misconfiguration can be exploited by requesting http://server/api../ which will result in Nginx requesting the URL http://apiserver/v1/../ that is normalized to http://apiserver/. The impact that this can have depends on what can be reached when this misconfiguration is exploited. It could for example lead to the Apache server-status being exposed with the URL http://server/api../server-status, or it could make paths accessible that were not intended to be publicly accessible.
One sign that a Nginx server has this misconfiguration is the server still returns the same response when a slash in the URL is removed. For example, if both http://server/api/user and http://server/apiuser return the same response, the server might be vulnerable. This would lead to the following requests being sent:
Unsafe variable use
Some frameworks, scripts and Nginx configurations unsafely use the variables stored by Nginx. This can lead to issues such as XSS, bypassing HttpOnly-protection, information disclosure and in some cases even RCE.
SCRIPT_NAME
With a configuration such as the following:
The main issue will be that Nginx will send any URL to the PHP interpreter ending in .php even if the file doesn’t exist on disc. This is a common mistake in many Nginx configurations, as outlined in the “Pitfalls and Common Mistakes” document created by Nginx.
An XSS will occur if the PHP-script tries to define a base URL based on SCRIPT_NAME;
Usage of $uri can lead to CRLF Injection
Another misconfiguration related to Nginx variables is to use $uri or $document_uri instead of $request_uri. $uri and $document_uri contain the normalized URI whereas the normalization in Nginx includes URL decoding the URI. Volema found that $uri is commonly used when creating redirects in the Nginx configuration which results in a CRLF injection.
An example of a vulnerable Nginx configuration is:
The new line characters for HTTP requests are r (Carriage Return) and n (Line Feed). URL-encoding the new line characters results in the following representation of the characters %0d%0a. When these characters are included in a request like http://localhost/%0d%0aDetectify:%20clrf to a server with the misconfiguration, the server will respond with a new header named Detectify since the $uri variable contains the URL-decoded new line characters.
Learn more about the risks of CRLF injection and response splitting at https://blog.detectify.com/2019/06/14/http-response-splitting-exploitations-and-mitigations/.
Any variable
In some cases, user-supplied data can be treated as an Nginx variable. It’s unclear why this may be happening, but it’s not that uncommon or easy to test for as seen in this H1 report. If we search for the error message, we can see that it is found in the SSI filter module, thus revealing that this is due to SSI.
One way to test for this is to set a referer header value:
We scanned for this misconfiguration and found several instances where a user could print the value of Nginx variables. The number of found vulnerable instances has declined which could indicate that this was patched.
Raw backend response reading
With Nginx’s proxy_pass, there’s the possibility to intercept errors and HTTP headers created by the backend. This is very useful if you want to hide internal error messages and headers so they are instead handled by Nginx. Nginx will automatically serve a custom error page if the backend answers with one. But what if Nginx does not understand that it’s an HTTP response?
If a client sends an invalid HTTP request to Nginx, that request will be forwarded as-is to the backend, and the backend will answer with its raw content. Then, Nginx won’t understand the invalid HTTP response and just forward it to the client. Imagine a uWSGI application like this:
And with the following directives in Nginx:
proxy_intercept_errors will serve a custom response if the backend has a response status greater than 300. In our uWSGI application above, we will send a 500 Error which would be intercepted by Nginx.
proxy_hide_header is pretty much self explanatory; it will hide any specified HTTP header from the client.
If we send a normal GET request, Nginx will return:
But if we send an invalid HTTP request, such as:
We will get the following response:
merge_slashes set to off
The merge_slashes directive is set to “on” by default which is a mechanism to compress two or more forward slashes into one, so /// would become /. If Nginx is used as a reverse-proxy and the application that’s being proxied is vulnerable to local file inclusion, using extra slashes in the request could leave room for exploit it. This is described in detail by Danny Robinson and Rotem Bar.
We found 33 Nginx configuration files with merge_slashes set to “off”.
Try it yourself
We have created a GitHub repository where you can use Docker to set up your own vulnerable Nginx test server with some of the misconfigurations discussed in this article and try finding them yourself!
Further reading:
Conclusion
Nginx is a very powerful web server platform and it is easy to understand why it is widely used. But with flexible configuration, you enable the ability to make mistakes that may have a security impact. Don’t make it too easy for an attacker to hack your site by leaving these common misconfigurations unchecked. Detectify can detect all of these misconfigurations and help you secure your site from would-be attackers if you don’t have time to manually check yourself. Sign up for a free 2-week trial today to get started!
Is One Of The Most Widely Used Web Server Platforms
Web server vs. application server: What is the difference?
By strict definition, a web server is a common subset of an application server.
A web server delivers static web content—e.g., HTML pages, files, images, video—primarily in response to hypertext transfer protocol (HTTP) requests from a web browser.
An application server typically can deliver web content too, but its primary job is to enable interaction between end-user clients and server-side application code—the code representing what is often called business logic—to generate and deliver dynamic content, such as transaction results, decision support, or real-time analytics. The client for an application server can be the application’s own end-user UI, a web browser, or a mobile app, and the client-server interaction can occur via any number of communication protocols.
In practice, however, the line between web servers and application servers has become fuzzier, particularly as the web browser has emerged as the application client of choice and as user expectations of web applications and web application performance have grown.
Most web servers support plug-ins for scripting languages (e.g., ASP, JSP, PHP, Perl) that enable the web server to generate dynamic content based on server-side logic. And an increasing number of application servers not only incorporate web server capabilities, but use HTTP as their primary protocol and support other protocols (e.g., CGI and CGI variants) for interfacing with web servers. They also allow web applications to leverage services like reverse proxy, clustering, redundancy, and load balancing—services that improve performance and reliability and allow developers to focus less on infrastructure and more on coding.
What Is The Most Used Web Server
To make matters more confusing, many web servers and some application servers are referred to, or refer to themselves, as web application servers.
The bottom line is that today’s most popular web servers and application servers are hybrids of both. Most of the increasingly rich applications you use today feature a combination of static web content and dynamic application content, delivered via a combination of web server and application server technologies.
Open source web servers and application servers
The market is flooded with web servers and application servers—too many to list here. Instead, we thought it might be more valuable to list the most popular free, open source options available:
Nginx
Nginx (Link resides outside IBM) is an open source web server that includes reverse proxy, load balancing, mail proxy, and HTTP cache capabilities. Commercial, supported versions of Nginx are also available, at Nginx, Inc. (Link resides outside IBM). According to the internet research and cybercrime prevention company Netcraft (Link resides outside IBM), Nginx served or proxied nearly 38% of all the world’s websites and over 25% of the million busiest sites as of December, 2019. World-known enterprise Nginx users include Dropbox, Netflix, and Zynga.
Apache HTTP Server
First released in 1995, Apache HTTP Server (also just known as ‘Apache’) is another very popular free, open source web server that, until very recently, powered more websites than any other web server—71% at its peak—before being overtaken by Nginx in April, 2019. As of December 2019, Apache served over 24% of all sites worldwide and 31% of the million busiest sites.
Apache Tomcat
Apache Tomcat (Link resides outside IBM) is an open source application server that executes Java Servlets, renders and delivers web pages that include JavaServer Page code, and serves Java Enterprise Edition (Java EE) applications. Released in 1998, Tomcat is the most widely used open source Java application server.
Glassfish
Glassfish (Link resides outside IBM) is an open source Java EE application server launched by Sun Microsystems in 2006, and it is hosted today by the Eclipse Foundation (Link resides outside IBM). Like most Java application servers, Glassfish supports Java Servlets, Enterprise JavaBeans (EJB), and more, but it can also function as a web server, serving up web content in response to HTTP requests.
Web servers, application servers, and IBM Cloud®
Web servers and application servers will remain part of application modernization as the demand for better customer experiences and more applications impacts business and IT operations. When it comes to meeting such demands, a move toward greater automation will help. Ideally, it would start with small, measurably successful projects, which you can then scale and optimize for other processes and in other parts of your organization.
Working with IBM, you’ll have access to AI-powered automation capabilities, including prebuilt workflows, to help accelerate innovation by making every process more intelligent.
Take the next step:
- IBM offers HTTP Server, a web server included with other products such as IBM® WebSphere® Application Server. IBM HTTP Server is based on the Apache HTTP Server and provides all Apache features, plus IBM enhancements. Find out more about IBM HTTP Server Powered by Apache, Version 9.0.
- IBM WebSphere Liberty is a Java EE application server designed for cloud native applications and microservices. WebSphere Liberty is built on the Open Liberty project (Link resides outside IBM) that provides an open source Java EE and MicroProfile core.
- Read about the results of one company’s transition to the IBM WebSphere Application Server Liberty Profile on IBM Cloud.
- Register to get the IBM Application Modernization Field Guide (PDF, 2.9 MB) to learn how to accelerate modernization, improve developer productivity and enhance operational efficiency and standardization.
- Check out a blog post about IBM WebSphere Hybrid Edition, which enables a phased approach to digital transformation.
Get started with an IBM Cloud account today.
Featured products