gixy: Nginx configuration static analyzer – Penetration Testing

Gixy is a tool to analyze Nginx configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.

Currently supported Python versions are 2.7 and 3.5+.

Right now Gixy can find:

[ssrf] Server Side Request Forgery

[http_splitting] HTTP Splitting

[origins] Problems with referrer/origin validation

[add_header_redefinition] Redefining of response headers by “add_header” directive

[host_spoofing] Request’s Host header forgery

[valid_referers] none in valid_referers

[add_header_multiline] Multiline response headers

Installation

pip install gixy

Usage

By default Gixy will try to analyze Nginx configuration placed in /etc/nginx/nginx.conf.

But you can always specify needed path:

$ gixy /etc/nginx/nginx.conf

==================== Results ===================

Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Description: Using variables that can contain “\n” may lead to http injection.
Additional info: http://ift.tt/2oJ5ioX
Reason: At least variable “$action” can contain “\n”
Pseudo config:
include /etc/nginx/sites/default.conf;

server {

location ~ /v1/((?[^.]*)\.json)?$ {
add_header X-Action $action;
}
}

==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 1

Source: Github

The post gixy: Nginx configuration static analyzer appeared first on Penetration Testing. http://ift.tt/2sRrzP1 http://ift.tt/2aM8QhC

Anúncios

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s