The document profiles Sergey Belov and discusses his background as a pentester, writer, and bug bounty hunter. It then outlines potential ways Nginx could be used for MitM/phishing attacks, including setting up a reverse proxy to intercept and modify requests, and discusses challenges like requiring another domain or IP and instability. The document cautions that DNS rebinding could allow attacking internal resources but is very unstable. It concludes by thanking the reader and providing demo URLs.

1. Sergey Belov

2. •
Pentester in Digital Security / ERPScan;
•
Writer (habrahabr.ru, “Xakep”);
•
CTF Player;
•
Bug bounty member (Google, Yandex);
•
bugscollector.com creator.

3. •
Very easy
•
0$
•
Not mentioned in the wild

4. NGinx – reverse proxy

5. php-fpm
Client
Nginx
Apache

6. attacker.com
Client
php-fpm
Nginx
Apache
vuln.com
??? http server

7. Step 1
location / {
proxy_pass
http://vuln.com;
proxy_set_header X-Real-IP $remote_addr;
}
}

8. Step 2



proxy_set_header Host “vuln.com";
sub_filter ‘vuln.com' ‘attacker.com';
sub_filter_once off;

10. Phishing

11. NGinx – tool for MitM/phishing?





+ Identical design
+ Fully functional working
+ Logging all data (POST/GET)
+ Add custom JS/HTML
- Another domain (DNS poising / router
hacking, malware, evil apn config e.t.c.)

12. Pentest
 Random exploit’s?
 Change response data (rights of social
networks apps)
 Change apps swf -> java (exploit)
 ???

13. DNS rebinding

14. • -Another domain
• - Very unstable
• + Can attack internal resources

15. Internal, not external!

16. C:UsersBeLove>ping www.ya.ru
Обмен пакетами с ya.ru [87.250.250.203] с 32 байтами данных

17. Remove it from:
• Pentester’s reports
• Most famous security scanners

18. Thanks!
demo:
http://zn.sergeybelove.ru
http://twitter.com/sergeybelove