Nginx and Tomcat Mutual Auth Bypass

I would like to share a common mistake on Nginx configuration which could lead to authentication bypass. We are going to try to bypass Nginx mutual authentication

Below is the Nginx configuration that we are going to explore for exploitation

We can see from the above configuration that accessing /manager/html, /admin/dashboard and /host-manager/html would go to the mutual authentication check first. if the client does not provide the required certificate then error 403 will be returned

Based on the research from this blackhat that the two server (Nginx and Tomcat) will parse the http request differently thus lead to the known behaviour as below list


As we know that when we tried to access the tomcat admin page at https://domain/manager/html would required mutual authentication as shown in the Nginx configuration. According to the above parsing behaviour, We can do a little manipulation on the http request in order not to match with the url /manager/html in the Nginx with this http request /manager;name=orange/html/ where then be passed to the tomcat which to be interpreted as /manager/html


Making authentication is always good but you have to know the behaviour of each technology the strength and weaknesess to ensure the configuration that we expect will run properly.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s