Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Nginx Merge Slashes Path Traversal

By klaudia

Critical
Vidoc logoVidoc Module
#nginx#path-traversal#exposure
Description

What is the "Nginx Merge Slashes Path Traversal?"

The "Nginx Merge Slashes Path Traversal" module is designed to detect a vulnerability in Nginx web servers. This module specifically targets the merge_slashes directive, which when set to 'off', allows multiple slashes in a URI to remain unnormalized. This misconfiguration can potentially lead to path traversal attacks, exposing sensitive files and directories on the server. The severity of this vulnerability is classified as critical.

Impact

A successful exploitation of the Nginx Merge Slashes Path Traversal vulnerability can result in unauthorized access to sensitive files and directories on the server. This can potentially lead to the exposure of confidential information, such as user credentials, configuration files, or other sensitive data. Attackers can leverage this vulnerability to gain a foothold in the system and further exploit the compromised server.

How the module works?

The Nginx Merge Slashes Path Traversal module works by sending HTTP requests to the target server with a specially crafted path containing multiple slashes. It then applies matching conditions to determine if the vulnerability is present. The module checks for two specific conditions:

    - Regex Matcher: The module checks if the response body contains the string "root:[x*]:0:0". This indicates that the server's /etc/passwd file has been exposed, which is a clear indication of a successful path traversal attack. - Status Matcher: The module checks if the response status code is either 200 or 206. These status codes indicate a successful request, suggesting that the server is vulnerable to path traversal attacks.

If any of these conditions are met, the module reports the vulnerability, allowing administrators to take appropriate actions to mitigate the risk.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET///////../../../etc/...
Matching conditions
regex: root:[x*]:0:0and
status: 200, 206
Passive global matcher
No matching conditions.
On match action
Report vulnerability