Reverse proxy bypass techniques

1. The %2f bypass technique

The string %2f translates to a slash character (/) when interpreted as an URL-encoded string. It presents a classic path normalization attack, which exploits the way different layers of a web stack (eg. reverse proxy and backend server) interprets the same URL.

Case study

case study details @8:40

Without bypass

Request

GET /api/services/swagger-ui/swagger-init.js 

Response:

307 (temporary redirect)
Location: /api/services/swagger-ui/index.html

• This is likely because the reverse proxy sees swagger-init.js, either recognises it as a matched sensitive file, or sees the trailing .js extension

  • Automatically redirects to a route that serves a static file (index.html)

With bypass

Request

GET /api/services/swagger-ui/swagger-init.js%2f 

Response:

200 (OK)
Content-Type: text/javascript

• The reverse proxy sees the value swagger-init.js%2f , and interprets it as a plain string value

• Since it does not match any known sensitive .js files, it passes it on to the API backend server

• The backend server URL-decodes:

  • /api/services/swagger-ui/swagger-init.js%2f -> /api/services/swagger-ui/swagger-init.js/

  • /api/services/swagger-ui/swagger-init.js/ does not exist as a directory -> returns the static file instead: /api/services/swagger-ui/swagger-init.js

• Hence, we have managed to bypass the reverse proxy security verifications

Summary

Feature	Normal request	%2f bypass request
Status code	301/302 (redirect)	200 OK
Source of file	Frontend static server	API backend server (not sanitized)
Security risk	Minimal (public accessible files)	High (potentially protected files)
Further enumeration	-	Eg. Test for path traversal (%2f..%2f)