Nginx Config file disclosure
Attacker can get unauthorized access of Nginx config file.
Security Misconfiguration (SM)
How this template works
The API selection filters in this template specify the criteria for selecting the API to be tested. In this case, the filters include the response code being greater than or equal to 200 and less than 300, and the URL being extracted and stored in the variable "urlVar".
The execute section defines the type of request to be executed. In this template, it is a single request. The request is modified by appending "/nginx.conf" to the extracted URL stored in the "urlVar" variable.
The validation section specifies the conditions that need to be met for the test to pass. It checks that the response code is equal to 200 and that the response payload contains the strings "server", "listen", and "server_name". It also ensures that the response payload does not contain the string "html>". If all these conditions are met, the test is considered successful.
Frequently asked questions
What is the purpose of the NGINX Config File Disclosure test
How does the NGINX Config File Disclosure test work
What are the criteria for a successful NGINX Config File Disclosure test
What is the impact of exposing NGINX configuration files
What category and severity level does the NGINX Config File Disclosure test fall under
Are there any references or resources available for further information on NGINX configuration file disclosure