I would like to share a common mistake on Nginx configuration which could lead to authentication bypass. We are going to try to bypass Nginx mutual authentication
Below is the Nginx configuration that we are going to explore for exploitation
We can see from the above configuration that accessing /manager/html, /admin/dashboard and /host-manager/html would go to the mutual authentication check first. if the client does not provide the required certificate then error 403 will be returned
Based on the research from this blackhat https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf that the two server (Nginx and Tomcat) will parse the http request differently thus lead to the known behaviour as below list
As we know that when we tried to access the tomcat admin page at https://domain/manager/html would required mutual authentication as shown in the Nginx configuration. According to the above parsing behaviour, We can do a little manipulation on the http request in order not to match with the url /manager/html in the Nginx with this http request /manager;name=orange/html/ where then be passed to the tomcat which to be interpreted as /manager/html
Making authentication is always good but you have to know the behaviour of each technology the strength and weaknesess to ensure the configuration that we expect will run properly.