# Nginx

## Alias LFI Misconfiguration

Inside the Nginx configuration look the "location" statements, if someone looks like:

```text
location /imgs { 
    alias /path/images/ 
}
```

There is a LFI vulnerability because:

```text
/imgs../flag.txt
```

Transforms to:

```text
/path/images/../flag.txt
```

The correct configuration will be:

```text
location /imgs/ { 
    alias /path/images/ 
}
```

**So, if you find some Nginx server you should check for this vulnerability. Also, you can discover it if you find that the files/directories brute force is behaving weird.**

More info: [https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/](https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/)

Accunetix tests:

```text
alias../ => HTTP status code 403
alias.../ => HTTP status code 404
alias../../ => HTTP status code 403
alias../../../../../../../../../../../ => HTTP status code 400
alias../ => HTTP status code 403
```

## Static Analyzer tools

### [GIXY](https://github.com/yandex/gixy)

Gixy is a tool to analyze Nginx configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.