Giters

projectdiscovery / nuclei-templates

Community curated list of templates for the nuclei engine to find security vulnerabilities.

Home Page:https://github.com/projectdiscovery/nuclei

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[nuclei-template] Unrestricted access to NGINX+ Dashboard

sar00n opened this issue · comments

commented

Unrestricted access to NGINX+ Dashboard
NGINX Plus is a software load balancer, web server, and content cache built on top of open source NGINX. NGINX Plus has exclusive enterprise grade features beyond what's available in the open source offering, including session persistence, configuration via API, and active health checks.

NGINX Plus comes with a Live Activity Monitoring web based dashboard. Acunetix determined that it was possible to access this dashboard without authentication.

It's recommended to restrict access to the NGINX+ Dashboard as it may contain information that could be useful for an attacker.
Reference : https://www.acunetix.com/vulnerabilities/web/unrestricted-access-to-nginx-dashboard/

Nuclei Template:

id: nginx-dashboard

info:
  name: Nginx Dashboard
  author: BibekSapkota (sar00n)
  severity: low
  tags: misconfig,nginx

requests:
  - method: GET
    path:
      - "{{BaseURL}}/dashboard.html"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'NGINX Plus'

      - type: status
        status:
          - 200
commented

@sar00n thank you for sharing this, this is now added here - #4318