This project seeks to solve vulnerabilities caused by uploading unwanted files to web applications with the help of Nginx's reverse proxy feature.
Many modern web applications implement some variation of a file uploading system. Such systems can introduce vulnerabilities to the web application by having the user upload a file that will damage the server (a Web Shell) or a file that malicious parties could use to harm the users (an HTML file with scripts, for example).
Theory
Nginx's reverse proxy works by reading a configuration file with proxy rules and redirecting incoming requests to the address in the configuration file.
These rules require reading from top to bottom and choosing the most specific rule. So, if example.com/help/contact-us is requested and the configuration contains the following rules:
location = /help/* {
proxy_pass http://real.server.com/help/main-page;
}
location = /help/contact-us {
proxy_pass http://real.server.com/help/contact-us;
}
Then the request will be directed to http://real.server.com/help/contact-us
We can create a configuration file on a reverse proxy server that points explicitly to every page on the original server using this feature. We can implement a rule with whitelisted file extensions using regex to allow users to access uploaded files. And send the rest to a generic "404" page.
Note: This only blocks the uploaded file's access, and not the upload itself.
The Configuration File
Following the theory, we create a configuration file with the following structure:
* Nginx Defaults (settings that every Nginx configuration file must include).
* Specific proxy rules for every page on the original server Regex.
* Whitelist for allowed file extensions.
* A catch-all to discover all unrecognized requests and redirect them to a "404" page.
Issues
We have potentially found an end to all web shells if the theory is correct, right? Things are a bit more complicated than simple sites with URLs pointing to files on the server.
In the real world, most web applications use rewrite rules to interact with dynamic pages. So, the solution has to take that into account and potentially read the web-server's config file and create matching proxy rules.
The opensource project: