first commit

nginx/insecure-configuration/README.md

@@ -0,0 +1,79 @@
+# Nginx Misconfiguration Vulnerabilities
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Nginx is a web server that can be used as a reverse proxy, load balancer, mail proxy, and HTTP cache. This environment contains three vulnerabilities caused by Nginx misconfiguration.
+
+## Environment Setup
+
+Execute the following command to start a Nginx server with multiple vulnerabilities:
+
+```
+docker compose up -d
+```
+
+After successful execution, Nginx will listen on three ports: 8080/8081/8082, corresponding to three different vulnerabilities.
+
+## Mistake 1. CRLF Injection Vulnerability
+
+Nginx decodes `$uri`, which means inputting %0d%0a can introduce line breaks, leading to CRLF injection vulnerabilities.
+
+Example of incorrect configuration (originally intended to redirect HTTP requests to HTTPS):
+
+```
+location / {
+    return 302 https://$host$uri;
+}
+```
+
+Payload: `http://your-ip:8080/%0d%0aSet-Cookie:%20a=1`, which can inject a Set-Cookie header.
+
+![](5.png)  
+
+Using techniques from the article "[Bottle HTTP Header Injection Vulnerability Analysis](https://www.leavesongs.com/PENETRATION/bottle-crlf-cve-2016-9964.html)", you can construct an XSS vulnerability:
+
+![](1.png)
+
+## Mistake 2. Directory Traversal Vulnerability
+
+When configuring aliases in Nginx, forgetting to add a `/` will create a directory traversal vulnerability.
+
+Example of incorrect configuration (originally intended to allow users to access files in the /home/ directory):
+
+```
+location /files {
+    alias /home/;
+}
+```
+
+Payload: `http://your-ip:8081/files../`, successfully traversing to the root directory:
+
+![](2.png)
+
+## Mistake 3. add_header Override
+
+The `add_header` directive in Nginx configuration child blocks (server, location, if) will override HTTP headers added by `add_header` in the parent block, potentially creating security risks.
+
+For example, in the following code, CSP headers are added site-wide (in the parent block):
+
+```
+add_header Content-Security-Policy "default-src 'self'";
+add_header X-Frame-Options DENY;
+
+location = /test1 {
+    rewrite ^(.*)$ /xss.html break;
+}
+
+location = /test2 {
+    add_header X-Content-Type-Options nosniff;
+    rewrite ^(.*)$ /xss.html break;
+}
+```
+
+However, because the `/test2` location block adds an `X-Content-Type-Options` header, all `add_header` directives in the parent block become ineffective:
+
+![](3.png)
+
+XSS can be triggered:
+
+![](4.png)

nginx/insecure-configuration/README.zh-cn.md

@@ -0,0 +1,77 @@
+# Nginx 配置错误导致漏洞
+
+Nginx是一款Web服务器，可以作为反向代理、负载均衡、邮件代理、HTTP缓存等。这个Vulhub环境包含三个由Nginx配置错误导致的漏洞。
+
+## 测试环境
+
+执行以下命令启动一个包含多个漏洞的Nginx服务器：
+
+```
+docker compose up -d
+```
+
+运行成功后，Nginx将会监听8080/8081/8082三个端口，分别对应三种漏洞。
+
+## Mistake 1. CRLF注入漏洞
+
+Nginx会将`$uri`进行解码，导致传入%0d%0a即可引入换行符，造成CRLF注入漏洞。
+
+错误的配置文件示例（原本的目的是为了让http的请求跳转到https上）：
+
+```
+location / {
+    return 302 https://$host$uri;
+}
+```
+
+Payload: `http://your-ip:8080/%0d%0aSet-Cookie:%20a=1`，可注入Set-Cookie头。
+
+![](5.png)  
+
+利用《[Bottle HTTP 头注入漏洞探究](https://www.leavesongs.com/PENETRATION/bottle-crlf-cve-2016-9964.html)》中的技巧，即可构造一个XSS漏洞：
+
+![](1.png)
+
+## Mistake 2. 目录穿越漏洞
+
+Nginx在配置别名（Alias）的时候，如果忘记加`/`，将造成一个目录穿越漏洞。
+
+错误的配置文件示例（原本的目的是为了让用户访问到/home/目录下的文件）：
+
+```
+location /files {
+    alias /home/;
+}
+```
+
+Payload: `http://your-ip:8081/files../` ，成功穿越到根目录：
+
+![](2.png)
+
+## Mistake 3. add_header被覆盖
+
+Nginx配置文件子块（server、location、if）中的`add_header`，将会覆盖父块中的`add_header`添加的HTTP头，造成一些安全隐患。
+
+如下列代码，整站（父块中）添加了CSP头：
+
+```
+add_header Content-Security-Policy "default-src 'self'";
+add_header X-Frame-Options DENY;
+
+location = /test1 {
+    rewrite ^(.*)$ /xss.html break;
+}
+
+location = /test2 {
+    add_header X-Content-Type-Options nosniff;
+    rewrite ^(.*)$ /xss.html break;
+}
+```
+
+但`/test2`的location中又添加了`X-Content-Type-Options`头，导致父块中的`add_header`全部失效：
+
+![](3.png)
+
+XSS可被触发：
+
+![](4.png)

nginx/insecure-configuration/configuration/error1.conf

@@ -0,0 +1,13 @@
+server {
+	listen 8080;
+
+	root /usr/share/nginx/html;
+
+	index index.html;
+
+	server_name _;
+
+	location / {
+		return 302 http://$host:$server_port$uri;
+	}
+}

nginx/insecure-configuration/configuration/error2.conf

@@ -0,0 +1,15 @@
+server {
+	listen 8081;
+
+	root /usr/share/nginx/html;
+
+	index index.html;
+
+	server_name _;
+
+    autoindex on;
+
+	location /files {
+        alias /home/;
+    }
+}

nginx/insecure-configuration/configuration/error3.conf

@@ -0,0 +1,23 @@
+server {
+	listen 8082;
+
+	root /usr/share/nginx/html;
+
+	index index.html;
+
+	server_name _;
+
+    autoindex on;
+
+    add_header Content-Security-Policy "default-src 'self'";
+    add_header X-Frame-Options DENY;
+
+	location = /test1 {
+		rewrite ^(.*)$ /xss.html break;
+	}
+
+    location = /test2 {
+        add_header X-Content-Type-Options nosniff;
+        rewrite ^(.*)$ /xss.html break;
+    }
+}

nginx/insecure-configuration/docker-compose.yml

@@ -0,0 +1,11 @@
+services:
+ nginx:
+   image: vulhub/nginx:1
+   volumes:
+    - ./configuration:/etc/nginx/conf.d
+    - ./files/:/home/
+    - ./www/:/usr/share/nginx/html/
+   ports:
+    - "8080:8080"
+    - "8081:8081"
+    - "8082:8082"

nginx/insecure-configuration/files/help.txt

@@ -0,0 +1 @@
+This is a public file.

nginx/insecure-configuration/www/index.html

@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Welcome to nginx!</title>
+<link rel="stylesheet" href="static/app.css">
+</head>
+<body>
+<h1>Welcome to nginx!</h1>
+<p>If you see this page, the nginx web server is successfully installed and
+working. Further configuration is required.</p>
+
+<p>For online documentation and support please refer to
+<a href="http://nginx.org/">nginx.org</a>.<br/>
+Commercial support is available at
+<a href="http://nginx.com/">nginx.com</a>.</p>
+
+<p><em>Thank you for using nginx.</em></p>
+</body>
+</html>

nginx/insecure-configuration/www/static/app.css

@@ -0,0 +1,5 @@
+body {
+    width: 35em;
+    margin: 0 auto;
+    font-family: Tahoma, Verdana, Arial, sans-serif;
+}

nginx/insecure-configuration/www/static/app.js

@@ -0,0 +1,4 @@
+window.onload = function() {
+    var m = document.getElementById('m');
+    m.innerHTML = location.hash.substr(1);
+}

nginx/insecure-configuration/www/xss.html

@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>XSS Vulnerability</title>
+<script src="static/app.js"></script>
+</head>
+<body>
+<p id="m"></p>
+</body>
+</html>