Edit

Nginx

  • Designed for high performance and low resource usage, often used as a reverse proxy or load balancer.

  • It employs an event-driven architecture, handling many requests in a single thread, which allows it to efficiently serve static content and handle a large number of concurrent connections with minimal memory usage.

Headers List
Server
Server: nginx/1.18.0 (Ubuntu)

  • Discloses the Nginx version and OS

X-Powered-By
X-Powered-By: PHP/7.4.3

  • Reveals backend technologies

X-Forwarded-For
X-Forwarded-For: 192.168.1.1

  • Spoofing this header can bypass IP-based rate limits or access controls

X-Forwarded-Host
X-Forwarded-Host: evil.com

  • Manipulating this to evil.com can lead to cache poisoning or host header injection if the app trusts it blindly.

X-Forwarded-Proto
X-Forwarded-Proto: http

  • Forcing http instead of https can downgrade connections, enabling MITM attacks.

Strict-Transport-Security
Strict-Transport-Security: max-age=31536000; includeSubDomains

  • Missing this header allows SSL stripping. A short max-age (e.g., max-age=0) can also weaken security.

Content-Security-Policy
Content-Security-Policy: default-src 'self'

  • A weak CSP like default-src * allows loading scripts from any origin, enabling XSS

X-Content-Type-Options
X-Content-Type-Options: nosniff

  • Missing this header lets browsers interpret files as executable (e.g., text/plain as text/html), leading to MIME confusion.

X-Frame-Options
X-Frame-Options: DENY

  • Absence of this header allows clickjacking

X-XSS-Protection
X-XSS-Protection: 1; mode=block

  • Disabling it (X-XSS-Protection: 0) or misconfiguring it can make XSS attacks easier.

Cache-Control
Cache-Control: no-store

  • Misconfigured caching (e.g., Cache-Control: public) can leak sensitive data.

Set-Cookie
Set-Cookie: sessionid=123; Secure; HttpOnly; SameSite=Strict

  • Missing Secure or HttpOnly (e.g., Set-Cookie: sessionid=123) exposes cookies to theft via MITM or XSS.

Location
Location: https://example.com/login

  • Open redirects (e.g., Location: https://evil.com) can be abused for phishing or SSRF.

CORS
Access-Control-Allow-Origin: *

  • Overly permissive CORS (e.g., *) allows any site to read responses, enabling CSRF or data theft.

Proxy Headers
Proxy-Authenticate: Basic realm="Proxy"

  • Leaks proxy auth details, which can be brute-forced or used in internal recon.

Via
Via: 1.1 proxy.example.com

  • Reveals internal proxies (e.g., Via: 1.1 internal-proxy), aiding infrastructure mapping.

ETag
ETag: "123abc"

  • Weak ETags (e.g., based on file timestamps) can be used for fingerprinting or cache poisoning.

Enumeration

Configuration Files

/etc/nginx/nginx.conf
/etc/nginx/conf.d/
Logs
/var/log/nginx/access.log
/var/log/nginx/error.log

  • Look for Virtual Hosts in the /etc/nginx/sites-enabled file:

grep -r "server {" /etc/nginx/
PreviousApacheNextWerkzeug

Last updated