Dealing with reverse proxy Gateway Time-outs
75 views
Skip to first unread message
Nick Knox
Nov 11, 2022, 5:35:07 PM11/11/22
to OWASP ZAP User Group
I'm dealing with a web app that is behind an nginx reverse proxy and I don't have the option to attack it directly. The problem is that this particular web app does not properly send a response in the event of an input error. Here's an example of what this code probably looks like.
As you can see, this causes a request that DOES crash the authenticate function to
hang indefinitely rather than return a proper 500 server error. The Nginx reverse proxy keeps the connection open for a full 60 seconds before finally returning a 504 nginx time-out error.
To make matters worse, the error is triggered on the backend whenever any request containing a quote (', ", `) is sent, which is frankly a majority of the payloads that Zap provides. To scan this one endpoint with Zap requires over a minute per request, which means I'll be here all day.
To make matters worse, the error is triggered on the backend whenever any request containing a quote (', ", `) is sent, which is frankly a majority of the payloads that Zap provides. To scan this one endpoint with Zap requires over a minute per request, which means I'll be here all day.
I'm looking for a way to tell Zap to abandon a connection if it takes longer than, say, 15 seconds.
Could I use more threads?
Unfortunately, I actually have to add an additional second delay between requests in order to not get Bad Gateway errors from nginx.
Unfortunately, I actually have to add an additional second delay between requests in order to not get Bad Gateway errors from nginx.
Doesn't this error mean there's probably a vulnerability?
Yes, and I actually know what it is, but I'm trying to get Zap to find it and I want the result before I die of old age.
Thanks in advance,
Thanks in advance,
KNOXDEV
Reply all
Reply to author
Forward
0 new messages