網站資安風險 Cloud Metadata Potentially Exposed

Reference:

Trust No One: The Perils of Trusting User Input

【Nginx】valid_referers 参数绕坑指南

狀況：OWASP ZAP掃描出高風險

High	Cloud Metadata Potentially Exposed
Description	The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.
	All of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field.
URL	https://xxx.com.tw/latest/meta-data/
Method	GET
Parameter
Attack	169.254.169.254
Evidence
Instances	1
Solution	Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker.
Reference	https://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/
CWE Id
WASC Id
Plugin Id	90034

確認方式：

curl http://xxx.com.tw/latest/meta-data/ -H "Host: 169.254.169.254"

如果有正常回應就存在資安風險。

原因：

nginx 接到 request 時，若 client 修改 header 參數，Ex: 168.254.169.254，可能會取得 nginx 後端的非公開資料。

暫時解法：修改 nginx config，增加黃色部分

server {
listen 443 ssl http2;

        ssl_certificate /etc/nginx/ssl/open.iatyu.pem;
        ssl_certificate_key /etc/nginx/ssl/open.iatyu.key;
        ssl_protocols TLSv1.2;

#省略其他設定

    location / {
            valid_referers xxx.com.tw; if ($invalid_referer) { return 403; }
    }
}

PS. 如果 nginx 代理多個 web server，要另外建一個 default.conf 放這一段。

2024/2/23 update:

另一個方法：(nginx on Windows用valid_referers無效)

server {
listen 443 ssl http2;

        ssl_certificate /etc/nginx/ssl/open.iatyu.pem;
        ssl_certificate_key /etc/nginx/ssl/open.iatyu.key;
        ssl_protocols TLSv1.2;

#省略其他設定

    location / {
            if ($host != 'xxx.com.tw') { return 403; }
    }
}