6e84bda60d
|
||
|---|---|---|
| docs | ||
| gixy | ||
| rpm | ||
| tests | ||
| .dockerignore | ||
| .editorconfig | ||
| .gitignore | ||
| .travis.yml | ||
| AUTHORS | ||
| CONTRIBUTING.md | ||
| Dockerfile | ||
| LICENSE | ||
| MANIFEST.in | ||
| Makefile | ||
| README.RU.md | ||
| README.md | ||
| requirements.dev.txt | ||
| requirements.txt | ||
| setup.py | ||
| tox.ini | ||
README.md
GIXY
Overview
Gixy is a tool to analyze Nginx configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.
Currently supported Python versions are 2.7 and 3.5+.
Disclaimer: Gixy is well tested only on GNU/Linux, other OSs may have some issues.
What it can do
Right now Gixy can find:
- [ssrf] Server Side Request Forgery
- [http_splitting] HTTP Splitting
- [origins] Problems with referrer/origin validation
- [add_header_redefinition] Redefining of response headers by "add_header" directive
- [host_spoofing] Request's Host header forgery
- [valid_referers] none in valid_referers
- [add_header_multiline] Multiline response headers
You can find things that Gixy is learning to detect at Issues labeled with "new plugin"
Installation
Gixy is distributed on PyPI. The best way to install it is with pip:
pip install gixy
Run Gixy and check results:
gixy
Usage
By default Gixy will try to analyze Nginx configuration placed in /etc/nginx/nginx.conf.
But you can always specify needed path:
$ gixy /etc/nginx/nginx.conf
==================== Results ===================
Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Description: Using variables that can contain "\n" may lead to http injection.
Additional info: https://github.com/yandex/gixy/blob/master/docs/ru/plugins/httpsplitting.md
Reason: At least variable "$action" can contain "\n"
Pseudo config:
include /etc/nginx/sites/default.conf;
server {
location ~ /v1/((?<action>[^.]*)\.json)?$ {
add_header X-Action $action;
}
}
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 1
Or skip some tests:
$ gixy --skips http_splitting /etc/nginx/nginx.conf
==================== Results ===================
No issues found.
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 0
Or something else, you can find all other gixy arguments with the help command: gixy --help
Contributing
Contributions to Gixy are always welcome! You can help us in different ways:
- Open an issue with suggestions for improvements and errors you're facing;
- Fork this repository and submit a pull request;
- Improve the documentation.
Code guidelines:
- Python code style should follow pep8 standards whenever possible;
- Pull requests with new plugins must have unit tests for it.