The document profiles Sergey Belov and discusses his background as a pentester, writer, and bug bounty hunter. It then outlines some potential ways Nginx could be used for MitM/phishing attacks, including modifying requests through reverse proxies and DNS rebinding to target internal resources. The document cautions that additional steps like DNS poisoning would be needed and that the techniques carry instability risks and should be removed from security reports.

1. Sergey Belov

2. •
Pentester in Digital Security / ERPScan;
•
Writer (habrahabr.ru, “Xakep”);
•
CTF Player;
•
Bug bounty member (Google, Yandex);
•
bugscollector.com creator.

3. •
Very easy
•
0$
•
Not mentioned in the wild

4. NGinx – reverse proxy

5. php-fpm
Client
Nginx
Apache

6. attacker.com
Client
php-fpm
Nginx
Apache
vuln.com
??? http server

7. Step 1
location / {
proxy_pass
http://vuln.com;
proxy_set_header X-Real-IP $remote_addr;
}
}

8. Step 2



proxy_set_header Host “vuln.com";
sub_filter ‘vuln.com' ‘attacker.com';
sub_filter_once off;

10. Phishing

11. NGinx – tool for MitM/phishing?





+ Identical design
+ Fully functional working
+ Logging all data (POST/GET)
+ Add custom JS/HTML
- Another domain (DNS poising / router
hacking, malware, evil apn config e.t.c.)

12. Pentest
 Random exploit’s?
 Change response data (rights of social
networks apps)
 Change apps swf -> java (exploit)
 ???

13. DNS rebinding

14. • -Another domain
• - Very unstable
• + Can attack internal resources

15. Internal, not external!

16. C:UsersBeLove>ping www.ya.ru
Обмен пакетами с ya.ru [87.250.250.203] с 32 байтами данных

17. Remove it from:
• Pentester’s reports
• Most famous security scanners

18. Thanks!
demo:
http://zn.sergeybelove.ru
http://twitter.com/sergeybelove