Hacker News new | past | comments | ask | show | jobs | submit login

Nice. Link to the whitepaper: https://bahruz.me/papers/ccs2021treqs.pdf

I only skimmed very quickly to look for which server setups they found new vulnerabilities for, and it looked like they tested a 2D matrix of popular webservers/caches/reverse-proxies with each other? Which is neat for automation, but in the real world I'm not usually going to be running haproxy behind nginx or vice versa. I'd be much more interested in findings for popular webserver->appserver setups, e.g., nginx in front of gunicorn/django.

I've definitely seen people do nginx+haproxy setups in the real world.

Sure, I'm not saying it doesn't happen or that there's no reason to do it, I just think that in practical terms the much more widespread attack surface area would be interaction between one of these and common application servers.

Tomcat in front of anything else (Apache, Nginx) is a common combination they tested. This is for a Java application with a webserver frontend that's enforcing rules/caching/authentication.

the grammar is pretty great

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact