Breaking Reverse Proxy Parser Logic
Original Post:
We discussed this vulnerability during Episode 149 on 30 May 2022
At its core, a simple issue with path normalization between a reverse proxy and the end server, one treated ..%2f
as a traversal and the other did not. This was used by the author to access internal NGINX Plus endpoints and was able to take advantage of it and was able to add his own server to the upstream list. So victims would be proxies to an attacker-controlled server. Cool way to escalate the issue that I’ve not seen before.