• Komodo Research

Nginprox - An Opensource WAF to Protect against Malicious File Uploads

Updated: Jan 8, 2020

This project seeks to solve vulnerabilities caused by the upload of unwanted files to web application with the help of Nginx's reverse proxy feature.

A lot of modern web applications implement some variation of a file uploading system. Such systems can introduce vulnerabilities to the web application by having the user upload a file that will damage the server (a Web Shell) or a file that could be used to damage the users (an html file with scripts for example).


Nginx's reverse proxy works by reading a configuration file with proxy rules and redirecting incoming requests to the address in the configuration file.

These rules are read from top to Bottom and the most specific rule is chosen. So if


is requested, and in the configuration contains the following rules:

location = /help/* {
  proxy_pass http://real.server.com/help/main-page;
location = /help/contact-us {
  proxy_pass http://real.server.com/help/contact-us;

The request will be directed to http://real.server.com/help/contact-us

Using this feature we can create a configuration file on a reverse proxy server that specifically points to every page on the original server. In order to allow users to access uploaded files we can implement a rule with whitelisted file extensions using regex. And send the rest to a generic "404" page.

Note: This only blocks access to the uploaded file, and not the upload itself.

The Configuration File

Following the theory we create a configuration file with the following structure:

* Nginx Defaults (settings that need to be included in every Nginx configuration file).

* Specific proxy rules for every page on the original serverRegex.

* Whitelist for allowed file extensions.

* A catch all to catch all unrecognized requests and redirect them to a "404" page.


If the theory is correct we potentially found an end to all web shells, right? Well things are a bit more complicated than simple sites with URLs pointing to files on the server.

In the real world most web applications make use of rewrite rules to interact with dynamic pages. So the solution has to take that into account and potentially read the web-server's config file and create proxy rules that match.

The opensource project:



Recent Posts

See All