In October 2021 I was researched ingress-nginx for possibility to bypass external authentication using path traversal. It was origin story for other investigations regarding insecure usage of $request_uri which leaded to Apache APISIX CVE-2021-43557.

To successful bypass access control using path traversal in $request_uri, you need to have buggy authentication/authorization service. Buggy in a way it’s not normalizing url/uri that is part of access control decision. Let me find more of those on github that are relying on X-Original-Url.

In this article, I will extend topic by bug bounty tips for weaknesses in authentication/authorization implementation in relation to nginx’s $request_uri variable. APIs This vulnerability is for APIs. Best scenario are microservice deployed to Kubernetes and exposed by ingress controller.

In this part I will research another ingress controller based on nginx: 🦍 kong. At the end of article I will mention in short F5 NGINX Ingress Controller. In kong there is no explicit feature called external authentication, but developers gave possibility to create it using plugins.

After checking Apache APISIX and Traefik, for path traversal in authZ context, now I will research Emissary ingress. In Emissary there is feature called Basic authentication, which is very similar to forward authentication discussed in Traefik.

In my previous post about Apache APISIX I have found path traversal in uri-blocker plugin. In this text I will focus on yet another ingress controller which is Traefik. It has feature called forward auth. At the end I will mention HAProxy ingress controller.

In this article I will present my research on insecure usage of $request_uri variable in Apache APISIX ingress controller. My work end up in submit of security vulnerability, which was positively confirmed and got CVE-2021-43557. At the end of article I will mention in short Skipper which I tested for same problem.

Lately I have come across task to perform security review of Azure subscription. It was white-box based and I had access to all terraform, Kubernetes and Docker files. I will share with you what checks are worth to do for such review.

This story will explain how to find and exploit SpEL parser in web applications based on Java language. What is SpEL ? From Spring documentation: The Spring Expression Language (SpEL for short) is a powerful expression language that supports querying and manipulating an object graph at runtime.

This is last part of my stories about exploiting service with SSRF bug. Part 1 is available here, and part 2 here. This part is focused on abusing Node.js and node-fetch library. I will try to “talk” with Redis service using CRLF injection in http parser.