mirror of https://github.com/yandex/gixy
Merge 1f3c7b7ac5 into 6f68624a75
anshil
GitHub
commit
b3b10e8352
70
README.md
70
README.md
|
|
@ -9,29 +9,50 @@ GIXY
|
|||
# Overview
|
||||
<img align="right" width="192" height="192" src="/docs/logo.png">
|
||||
|
||||
Gixy is a tool to analyze Nginx configuration.
|
||||
The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.
|
||||
Gixy is a tool for analyzing Nginx configurations, designed to help administrators, security engineers, and developers detect and mitigate security risks before they become critical vulnerabilities.
|
||||
|
||||
Currently supported Python versions are 2.7, 3.5, 3.6 and 3.7.
|
||||
Its primary goal is to prevent security misconfigurations by identifying unsafe directives, improper access controls, and other configuration flaws that could expose systems to attacks. Gixy also automates flaw detection, allowing users to efficiently audit their Nginx configurations without manual inspection.Gixy helps strengthen the security posture of web applications and services that rely on Nginx. Whether used in CI/CD pipelines, manual audits, or automated security testing, Gixy provides a robust solution for securing Nginx environments.
|
||||
|
||||
Disclaimer: Gixy is well tested only on GNU/Linux, other OSs may have some issues.
|
||||
**Supported Python versions**: 2.7, 3.5, 3.6 and 3.7
|
||||
|
||||
# What it can do
|
||||
Right now Gixy can find:
|
||||
* [[ssrf] Server Side Request Forgery](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)
|
||||
* [[http_splitting] HTTP Splitting](https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md)
|
||||
* [[origins] Problems with referrer/origin validation](https://github.com/yandex/gixy/blob/master/docs/en/plugins/origins.md)
|
||||
* [[add_header_redefinition] Redefining of response headers by "add_header" directive](https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md)
|
||||
* [[host_spoofing] Request's Host header forgery](https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md)
|
||||
* [[valid_referers] none in valid_referers](https://github.com/yandex/gixy/blob/master/docs/en/plugins/validreferers.md)
|
||||
* [[add_header_multiline] Multiline response headers](https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheadermultiline.md)
|
||||
* [[alias_traversal] Path traversal via misconfigured alias](https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md)
|
||||
**OS Compability**: GNU/Linux, macOS, Windows
|
||||
|
||||
You can find things that Gixy is learning to detect at [Issues labeled with "new plugin"](https://github.com/yandex/gixy/issues?q=is%3Aissue+is%3Aopen+label%3A%22new+plugin%22)
|
||||
**Disclaimer**: Gixy is well tested only on GNU/Linux, other Operating Systems may have some issues.
|
||||
|
||||
# Functionality
|
||||
Currently, Gixy can find: (Click on the links if you want more information on the topics)
|
||||
* [ssrf] Server Side Request Forgery
|
||||
* Detects improper handling of user-supplied URLs
|
||||
* (https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)
|
||||
* [http_splitting] HTTP Splitting
|
||||
* Identifies improperly handled user-controlled headers that could lead to HTTP header injection and response splitting attacks
|
||||
* (https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md)
|
||||
* [origins] Problems with referrer/origin validation
|
||||
* Checks for incorrect validation of Referer or Origin headers in security-sensitive requests
|
||||
* (https://github.com/yandex/gixy/blob/master/docs/en/plugins/origins.md)
|
||||
* [add_header_redefinition] Redefining of response headers by "add_header" directive
|
||||
* Detects multiple definitions of response headers using add_header
|
||||
* (https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md)
|
||||
* [host_spoofing] Request's Host header forgery
|
||||
* Detects scenarios where an attacker can spoof the Host header
|
||||
* (https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md)
|
||||
* [valid_referers] none in valid_referers
|
||||
* Identifies misconfigurations in valid_referers
|
||||
* (https://github.com/yandex/gixy/blob/master/docs/en/plugins/validreferers.md)
|
||||
* [[add_header_multiline] Multiline response headers]
|
||||
* Detects vulnerabilities caused by multi-line response headers,
|
||||
* (https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheadermultiline.md)
|
||||
* [alias_traversal] Path traversal via misconfigured alias
|
||||
* Identifies potential directory traversal vulnerabilities caused by incorrect use of the alias directive
|
||||
* (https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md)
|
||||
|
||||
🔧 Want to see what’s coming next? [Issues labeled with "new plugin"](https://github.com/yandex/gixy/issues?q=is%3Aissue+is%3Aopen+label%3A%22new+plugin%22)
|
||||
|
||||
# Installation
|
||||
Gixy is distributed on [PyPI](https://pypi.python.org/pypi/gixy). The best way to install it is with pip:
|
||||
```bash
|
||||
python3 -m venv gixy_env
|
||||
source gixy_env/bin/activate
|
||||
pip install gixy
|
||||
```
|
||||
|
||||
|
|
@ -39,11 +60,18 @@ Run Gixy and check results:
|
|||
```bash
|
||||
gixy
|
||||
```
|
||||
|
||||
To verify installation, run:
|
||||
```bash
|
||||
gixy --version
|
||||
```
|
||||
# Usage
|
||||
By default Gixy will try to analyze Nginx configuration placed in `/etc/nginx/nginx.conf`.
|
||||
Basic Scan
|
||||
|
||||
By default Gixy will try to analyze Nginx configuration placed in `/etc/nginx/nginx.conf`.
|
||||
But you can always specify needed path:
|
||||
|
||||
Example Output:
|
||||
|
||||
```
|
||||
$ gixy /etc/nginx/nginx.conf
|
||||
|
||||
|
|
@ -94,12 +122,18 @@ Or something else, you can find all other `gixy` arguments with the help command
|
|||
Gixy is available as a Docker image [from the Docker hub](https://hub.docker.com/r/yandex/gixy/). To
|
||||
use it, mount the configuration that you want to analyse as a volume and provide the path to the
|
||||
configuration file when running the Gixy image.
|
||||
|
||||
**Scan a Configuration File**
|
||||
|
||||
```
|
||||
$ docker run --rm -v `pwd`/nginx.conf:/etc/nginx/conf/nginx.conf yandex/gixy /etc/nginx/conf/nginx.conf
|
||||
```
|
||||
|
||||
If you have an image that already contains your nginx configuration, you can share the configuration
|
||||
with the Gixy container as a volume.
|
||||
|
||||
**Scan a Running Nginx Container**
|
||||
|
||||
```
|
||||
$ docker run --rm --name nginx -d -v /etc/nginx
|
||||
nginx:alpinef68f2833e986ae69c0a5375f9980dc7a70684a6c233a9535c2a837189f14e905
|
||||
|
|
@ -127,3 +161,5 @@ Contributions to Gixy are always welcome! You can help us in different ways:
|
|||
Code guidelines:
|
||||
* Python code style should follow [pep8](https://www.python.org/dev/peps/pep-0008/) standards whenever possible;
|
||||
* Pull requests with new plugins must have unit tests for it.
|
||||
* Follow pre-use code sytle
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue