Common NGINX Misconfigurations That Leave Your Web Server Open To Attack

Common NGINX misconfigurations that leave web servers vulnerable to attack

• NGINX is a popular web server powering one-third of all websites
• Detectify's Security Research team analyzed almost 50,000 unique NGINX configuration files and discovered common misconfigurations
• Missing root directive can lead to sensitive files being accessed
• Off by slash vulnerability can allow access to sensitive files
• Remediation involves using specific paths and ensuring they do not contain sensitive files

One example of a misconfiguration is the missing root directive, which can allow access to sensitive files on the server. This can be exploited by making a request to the root of the application, which will deliver files from the global root directive. To remediate this, specific paths should be used and sensitive files should not be included in the directive.

Abstract:NGINX is the web server powering one-third of all websites in the world. Detectify's Security Research team analyzed almost 50,000 unique NGINX configuration files downloaded from GitHub with Google BigQuery and discovered common misconfigurations that, if left unchecked, leave your web site vulnerable to attack. This training will walk through the most common issues, including demos and remediation tips for securing your web servers.