Breaking Reverse Proxy Parser Logic

We discussed this vulnerability as part of our weekly podcast on 31 May 2022

At its core, a simple issue with path normalization between a reverse proxy and the end server, one treated ..%2f as a traversal and the other did not. This was used by the author to access internal NGINX Plus endpoints and was able to take advantage of it and was able to add his own server to the upstream list. So victims would be proxies to an attacker-controlled server. Cool way to escalate the issue that I’ve not seen before.