12 Free Open-source Nginx Pentesting and Misconfiguration Scanners and Tools
Nginx is a popular open-source server that runs most of the websites, web apps and services on the internet nowadays. However, bad configuration can leave your website vulnerable to hackers.
Some may use some Nginx dashboards and UI tools for better and easier system configuration, you may read about them in the following post: 10 Free Nginx Dashboards and Control Panels - Manage Nginx Sites and Configuration Easily
If you wanna more better security for your Nginx server, you may choose to use the following tool: Block Bad Bots, Spams, Vulnerability Scanners, on Nginx with NGINX BAD BOT BLOCKER.
In this post, we provide a list of the best open-source tools, libraries, and frameworks that enable you to scan your Nginx server and configuration to ensure your Nginx installation is secure.
1- Nginxpwner
Nginxpwner is a Python-based simple tool to look for common Nginx misconfigurations and vulnerabilities. It can be easily installed from source or using Docker.
Features
- Version Check: Retrieves the Nginx version and identifies potential exploits using Searchsploit, informing whether it is outdated.
- Wordlist Scanning: Executes a wordlist specific to Nginx via Gobuster to identify vulnerabilities.
- CRLF Vulnerability Check: Assesses for CRLF vulnerabilities due to misconfigurations using
$uri
in redirects and checks all provided paths for CRLF issues. - PURGE Method Check: Verifies if the PURGE HTTP method is accessible externally, which could lead to security issues.
- Variable Leakage Detection: Identifies misconfigurations that may lead to variable leakage.
- Path Traversal Vulnerability Testing: Checks for path traversal vulnerabilities by ensuring
merge_slashes
is set tooff
. - Hop-by-Hop Header Testing: Tests for differences in response lengths when using hop-by-hop headers (e.g., X-Forwarded-Host) to detect anomalies.
- Kyubi Integration: Uses Kyubi to test for path traversal vulnerabilities via misconfigured aliases.
- 401/403 Bypass Testing: Tests for possible bypasses of 401/403 responses using the X-Accel-Redirect header.
- Raw Backend Response Check: Displays payloads to evaluate potential raw backend reading response misconfigurations.
- PHP-Specific Tests: Checks if the site uses PHP and suggests additional Nginx-specific tests for PHP environments.
- Integer Overflow Vulnerability Test: Tests for the common integer overflow vulnerability in Nginx's range filter module (CVE-2017-7529).
2- Gixy
Gixy is a tool for analyzing Nginx configuration. The main goal of Gixy is to prevent security misconfigurations and automate flaw detection. Gixy is well-tested only on GNU/Linux; other operating systems may have some issues.
Currently, the supported Python versions are 2.7, 3.5, 3.6, and 3.7. However, it can be easily installed using Docker.
3- Arachni
Arachni is an open-source web application security scanner designed to identify vulnerabilities in web applications. It offers features such as an intuitive user interface, extensive scanning capabilities, and the ability to detect a wide range of security issues, including SQL injection, cross-site scripting (XSS), and more.
Arachni is built to be highly modular and supports both automated and manual testing, making it suitable for penetration testers and security researchers.
Regarding Nginx configuration misconfigurations, Arachni primarily focuses on web application vulnerabilities rather than specific server configurations like those in Nginx.
However, it can indirectly reveal issues related to misconfigurations if they lead to exploitable vulnerabilities. For more dedicated analysis of Nginx configurations, tools specifically designed for configuration auditing, such as Gixy, would be more effective.
4- off-by-slash for Burp Suite
Burp Suite is a popular web application security testing tool developed by PortSwigger. It provides a range of features for identifying vulnerabilities in web applications, including scanning, crawling, and intruding functionalities. Security professionals and penetration testers use it to help secure their applications by detecting common web vulnerabilities like SQL injection, cross-site scripting (XSS), and others.
The Off-by-slash nginx-alias-traversal extension for Burp Suite specifically targets a known vulnerability associated with misconfigured alias
directives in Nginx. This extension automates the process of testing for path traversal vulnerabilities that may allow attackers to access sensitive files on the server.
By leveraging this extension, security testers can quickly identify and mitigate potential security risks in Nginx configurations.
5- nginxScanner
The nginx scanner detects the current nginx version on the web server and detects the versions CVE
6- Trivy
Trivy is an open-source vulnerability scanner developed by Aqua Security. It specializes in identifying security vulnerabilities in container images, file systems, and Git repositories. Trivy offers a simple command-line interface that provides users with an easy way to scan their applications and infrastructure for known vulnerabilities by utilizing various databases, including the National Vulnerability Database (NVD).
As for its capabilities regarding Nginx, Trivy primarily focuses on container vulnerabilities, including libraries and dependencies within Docker images.
While it can identify security issues related to applications running in Nginx containers, it does not specifically scan for Nginx configuration vulnerabilities like some dedicated Nginx scanning tools.
7- Wazuh
Wazuh is an open-source platform designed for threat prevention, detection, and response, offering comprehensive security across on-premises, virtual, containerized, and cloud environments. It utilizes endpoint agents for monitoring and a management server for data analysis.
Its key features include intrusion detection, log data analysis, file integrity monitoring, and vulnerability detection.
Wazuh integrates with the Elastic Stack for enhanced data visualization and alert management. It can scan for vulnerabilities in applications running on Nginx misconfigured servers, but does not specifically focus on Nginx configuration issues.
8- Nikto web server scanner
Nikto 2.5 is an open-source web server scanner that performs extensive tests on web servers for security vulnerabilities, including over 7,000 potentially dangerous files and outdated server versions. It checks for configuration issues and identifies installed web servers and software.
While designed for speed, Nikto's testing can be easily detected by log files or intrusion detection systems. The tool includes some informational checks that may not indicate security flaws but can highlight important server configurations. Users can also utilize LibWhisker's anti-intrusion detection methods for stealthier operations.
Features
- IPv6 support (new!)
- SSL support (Unix with OpenSSL or Windows with ActiveState's
Perl/NetSSL) - Full HTTP proxy support
- Checks for outdated server components
- Save reports in plain text, SQL, XML, HTML, NBE, JSON, or CSV
- Template engine to easily customize reports
- Scan multiple ports on a server, or multiple servers via input file (including nmap output)
- LibWhisker's IDS encoding techniques
- Identifies installed software via headers, favicons and files
- Host authentication with Basic and NTLM support
- Subdomain guessing
- Apache and cgiwrap username enumeration
- Mutation techniques to "fish" for content on web servers
- Scan tuning to include or exclude entire classes of vulnerability
checks - Guess credentials for authorization realms (including many default id/pw combos)
- Authorization guessing handles any directory, not just the root
directory - Enhanced false positive reduction via multiple methods: headers,
page content, and content hashing - Reports "unusual" headers seen
- Interactive status, pause and changes to verbosity settings
- Save full request/response for positive tests
- Replay saved positive requests
- Maximum execution time per target
- Auto-pause at a specified time
- Checks for common "parking" sites
9- Nuclei
Nuclei is an open-source tool designed for fast and customizable vulnerability scanning, particularly for web applications and infrastructure. Developed by ProjectDiscovery, it allows users to conduct automated security assessments by executing various types of templates, which define the specific checks to be performed. This flexibility makes Nuclei a powerful asset for penetration testers and security researchers.
The Nuclei Templates repository hosts a collection of community-contributed templates that cover a wide range of vulnerabilities and security checks. These templates enable users to quickly adapt their scans to target specific vulnerabilities or conditions, ensuring efficient and thorough assessments of their security posture. You may check the Nginx template.
Here is a custom template to check for Nginx.
10- reNgine
reNgine is an advanced automated reconnaissance framework tailored for web applications, emphasizing a highly customizable and efficient recon process. It is designed to enhance the work of security professionals, penetration testers, and bug bounty hunters by facilitating seamless data collection and organization.
reNgine primarily focuses on web application reconnaissance and does not specifically scan for vulnerabilities in Nginx or other server configurations. Its design is aimed at gathering intelligence on web applications rather than conducting in-depth security assessments of server software like Nginx.
11- Kyubi
Kyubi is a free and open-source tool to discover and exploit Nginx alias traversal misconfiguration, the tool can bruteforce the URL path recursively to find out hidden files and directories.
Users can choose to install it from source or within Docker.
12- Scanginx
Free Scanner For Nginx - Remote Integer Overflow Vulnerability.
Read More
- Common Nginx misconfigurations that leave your web server open to attack
- HackTricks - Nginx Configuration
- Nginx Version Detection Scanner
- Nginx Security: How To Harden Your Server Configuration
- Securing Your Nginx Web Server