Nginxpwner : Tool To Look For Common Nginx Misconfigurations & Vulnerabilities

Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulnerabilities.

Install

cd /opt
git clone https://github.com/stark0de/nginxpwner
cd nginxpwner
chmod +x install.sh
./install.sh

Usage

Target tab in Burp, select host, right click, copy all URLs in this host, copy to a file
cat urllist | unfurl paths | cut -d”/” -f2-3 | sort -u > /tmp/pathlist
Or get the list of paths you already discovered in the application in some other way. Note: the paths should not start with /
Finally:
python3 nginxpwner.py https://example.com /tmp/pathlist

Notes

It actually checks for:

  • Gets Ngnix version and gets its possible exploits using searchsploit and tells if it is outdated
  • Throws a wordlist specific to Nginx via gobuster
  • Checks if it is vulnerable to CRLF via a common misconfiguration of using $uri in redirects
  • Checks for CRLF in all of the paths provided
  • Checks if the PURGE HTTP method is available from the outside
  • Checks for variable leakage misconfiguration
  • Checks for path traversal vulnerabilities via merge_slashes set to off
  • Tests for differences in the length of requests when using hop-by-hop headers (ex: X-Forwarded-Host)
  • Uses Kyubi to test for path traversal vulnerabilities via misconfigured alias
  • Tests for 401/403 bypass using X-Accel-Redirect
  • Shows the payload to check for Raw backend reading response misconfiguration
  • Checks if the site uses PHP and suggests some nginx-specific tests for PHP sites
  • Tests for the common integer overflow vulnerability in Nginx’s range filter module (CVE-2017-7529)

The tool uses the Server header in the response to do some of the tests. There are other CMS and so which are built on Nginx like Centminmod, OpenResty, Pantheon or Tengine for example which don’t return that header. In that case please use nginx-pwner-no-server-header.py with the same parameters than the other script

Also, for the exploit search to run correctly you should do: searchsploit -u in Kali from time to time

The tool does not check for web cache poisoning/deception vulnerabilities nor request smuggling, you should test that with specific tools for those vulnerabilities. NginxPwner is mainly focused in misconfigurations developers may have introduced in the nginx.conf without being aware of them.

Credit to shibli2700 for his awesome tool Kyubi https://github.com/shibli2700/Kyubi and to all the contributors of gobuster. Credits also to Detectify (which actually discovered many of this misconfigurations in NGINX)

R K

Recent Posts

Understanding the Model Context Protocol (MCP) and How It Works

Introduction to the Model Context Protocol (MCP) The Model Context Protocol (MCP) is an open…

7 days ago

The file Command – Quickly Identify File Contents in Linux

While file extensions in Linux are optional and often misleading, the file command helps decode what a…

1 week ago

How to Use the touch Command in Linux

The touch command is one of the quickest ways to create new empty files or update timestamps…

1 week ago

How to Search Files and Folders in Linux Using the find Command

Handling large numbers of files is routine for Linux users, and that’s where the find command shines.…

1 week ago

How to Move and Rename Files in Linux with the mv Command

Managing files and directories is foundational for Linux workflows, and the mv (“move”) command makes it easy…

1 week ago

How to Create Directories in Linux with the mkdir Command

Creating directories is one of the earliest skills you'll use on a Linux system. The mkdir (make…

1 week ago