Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
438 views
in Technique[技术] by (71.8m points)

etag - Nginx Inode Information Leakage

I came across a word in the Burp Suite response section that I had never seen or noticed before. ETag. I did some research on what this was, but unfortunately I couldn't understand anything because I was not knowledgeable in the theoretical part of the job.

As time progresses, I will learn what ETag is. But what I want to ask now is a little different.

The two values ??in the Burp Suite request are:

If-Modified-Since: Wed, 30 Dec 2020 08:46:04 GMT
If-None-Match: W / "5f ***** c-d **" (I hid it on purpose)

And this one in response:

ETag: "5f ***** c-d **"

Note: Server: nginx / 1.14.0 (Ubuntu)

Is this a vulnerability? If it is a vulnerability, how can attackers take advantage of it?

I am very curious if this is indeed a reportable thing.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

The inode is the server's internal information specific to a file, so many security scanning software would report this as a vulnerability.

However, there is very little information you can find on the web on how this can translate to a real hack. It may assist in discovering things that a file A is a hard-link (same file, on the same filesystem) as a file B, not much more.

Apache at one point included the inode of a file as part of the value of the ETag header (which is configurable and possible to disable). Apache stopped this inclusion by default since version 2.4. NGINX itself never used the inode of a file as part of its ETag header.

However, security scanning software would still report NGINX as leaking inode info just because they never know whether it's proxying old Apache or other software that actually leaks inode info.

So you can say it's a false positive if you are running an NGINX-only setup. And if you don't, you can still say that it is false positive, because "OK, this is internal to the server, but nobody ever was able to do anything with it".


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...