Research | 2 mins

NGINX and Pathfinder Wordlists Release

Eden
Eden
Security Operations Analyst

Hey hackers,

We’re thrilled to share something in the works for a while—a brand-new NGINX paths wordlist designed to supercharge your web security efforts. Whether you’re a seasoned pro or just starting, this tool will make your job much easier.

Why Focus on NGINX?

This project focuses on identifying NGINX alias traversal vulnerabilities caused by misconfiguration. The technique utilized for this identification is based on a method presented by Orange Tsai at BlackHat USA 2018. The core idea is to check if a specially crafted request to a URL can bypass certain directory restrictions due to incorrect NGINX configuration.

Vulnerability Detection Technique

The specific vulnerability we are looking for occurs when a URL like https://example.com/static../ returns the same response as https://example.com/. This indicates that the server's configuration is not correctly handling the alias directive, allowing potential directory traversal attacks.

Methodology

  1. Data Collection from GitHub:
    • We accessed GitHub's dataset available on BigQuery, a powerful data analysis tool, to download all publicly available NGINX configuration files. This extensive dataset provides a comprehensive source for analyzing various configurations used in real-world scenarios.
  2. Analysis Using Gixy:
    • Gixy is an open-source tool designed to analyze NGINX configuration files for security issues and misconfigurations. We used Gixy to scan the downloaded NGINX configurations to identify those that are vulnerable to the alias traversal attack. This step automated the process of finding potential misconfigurations efficiently.
  3. Wordlist Compilation:
    • After identifying the vulnerable configurations, we compiled them into a wordlist. This wordlist serves as a reference for further testing and validation. Security researchers and administrators can use this wordlist to check their own servers for similar vulnerabilities.

What’s in the Wordlist?

Here’s what you can expect:

  • Common and rare NGINX configuration paths.
  • Default directories and installation paths.
  • Typical file names and structures used in NGINX.
  • Paths related to various NGINX modules and third-party plugins.

This list is all about giving you the upper hand in identifying weak spots in NGINX configurations.

Highlights:

  • Comprehensive: Our wordlist covers everything from default settings to the more obscure paths you might encounter.
  • Up-to-date: We’ll keep the list fresh with the latest paths from new NGINX versions and widespread configurations.
  • Community-Powered: We’re tapping into the knowledge of the security community to keep this wordlist as effective as possible.

How to Use It

Find it on our GitHub here.

Get Involved

We’d love for you to help us improve this wordlist. If you have suggestions or new paths, head to our GitHub page and contribute.

New Feature: Server Extractors Endpoint - Pathfinder

Pathfinder is an open-source tool designed to identify paths from exposed status pages. It focuses on parsing status pages of web servers and services like Apache, PHP-FPM, and Prometheus to extract unique paths which can be crucial for security assessments or web reconnaissance.

Here’s how to access the server extractor endpoint:

  • Find it here on Github.

Got questions or need more info? Reach out to us at: community@hadrian.io

Newsletter sign up

Get insights directly to your inbox

Subscribe to our newsletter for blog recaps, fresh tips, insights, and resource downloads.

Newsletter Example