Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

a blog based on of react,webpack3,dva,redux,material-ui,fetch,generator,markdown,nodejs,koa2,mongoose,docker,shell,and async/await 基于react+koa2技术栈的个人开源博客系统

Stars: ✭ 175 (-8.85%)

Mutual labels: nginx

External Auth Server

easy auth for reverse proxies

Stars: ✭ 189 (-1.56%)

Mutual labels: nginx

Ansible Nginx Hardening

This Ansible role provides secure nginx configurations.

Stars: ✭ 180 (-6.25%)

Mutual labels: nginx

Goaccess

GoAccess is a real-time web log analyzer and interactive viewer that runs in a terminal in *nix systems or through your browser.

Stars: ✭ 14,096 (+7241.67%)

Mutual labels: nginx

Ansible Collection Hardening

This Ansible collection provides battle tested hardening for Linux, SSH, nginx, MySQL

Stars: ✭ 2,543 (+1224.48%)

Mutual labels: nginx

Mod zip

Streaming ZIP archiver for nginx 📦

Stars: ✭ 178 (-7.29%)

Mutual labels: nginx

Orange

OpenResty/Nginx Gateway for API Monitoring and Management.

Stars: ✭ 2,208 (+1050%)

Mutual labels: nginx

Badssl.com

🔒 Memorable site for testing clients against bad SSL configs.

Stars: ✭ 2,234 (+1063.54%)

Mutual labels: nginx

Knary

A simple HTTP(S) and DNS Canary bot with Slack/Discord/MS Teams & Pushover support

Stars: ✭ 187 (-2.6%)

Mutual labels: burpsuite

Smtpd

A Lightweight High Performance ESMTP email server

Stars: ✭ 175 (-8.85%)

Mutual labels: nginx

Graphite Fabric

fabric-graphite is a fabric script to install Graphite and all dependencies on a debian-based host (with optional vagrant support)

Stars: ✭ 181 (-5.73%)

Mutual labels: nginx

Laravel Deployment

📗[WIP] 追求质量的 Laravel 应用部署上线课程。

Stars: ✭ 190 (-1.04%)

Mutual labels: nginx

Blss

NGINX-based Live Media Streaming Server

Stars: ✭ 187 (-2.6%)

Mutual labels: nginx

Lua Resty Redis Connector

Connection utilities for lua-resty-redis

Stars: ✭ 186 (-3.12%)

Mutual labels: nginx

View All Similar Projects ➔

off-by-slash

Burp extension to detect alias traversal via NGINX misconfiguration at scale. Requires Burp Professional.

Usage

git clone https://github.com/bayotop/off-by-slash/
Burp -> Extender -> Add -> find and select off-by-slash.py

The extension implements an active scanner check. Simply run a new scan, preferably with an "Audit checks - extensions only" configuration, on static resources identified via Burp's crawler. Alternatively, use scrape.py with a list of URLs to scrape static resources from. The results can be directly passed to a new Burp scan (Burp 2.0).

Description

https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf

A server is assumed to be vulnerable if a request to an existing path like https://example.com/static../ returns the same response as https://example.com/. To eliminate false positives the misconfiguration has to be confirmed by successfully requesting an existing resource via path traversal. This is done as follows:

For the URL https://example.com/folder1/folder2/static/main.css it generates the following links:

https://example.com/folder1../folder1/folder2/static/main.css
https://example.com/folder1../%s/folder2/static/main.css
https://example.com/folder1/folder2../folder2/static/main.css
https://example.com/folder1/folder2../%s/static/main.css
https://example.com/folder1/folder2/static../static/main.css
https://example.com/folder1/folder2/static../%s/main.css

Where %s are common directories used in alias paths based on around 9500 nginx configuration files from GH (thanks @TomNomNom), see directories.txt.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].

Stars: ✭ 192

Visit Git Page 🔗Visit User Page 🔗Visit Issues Page (1) 🔗