Top Related Projects
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.
Application Security Verification Standard
⚙️ NGINX config generator on steroids 💉
Quick Overview
Gixy is a tool for static analysis of Nginx configuration files. It helps identify security and performance issues in Nginx configurations, allowing users to detect and fix potential problems before they become a problem.
Pros
- Security Focused: Gixy is designed to identify security vulnerabilities in Nginx configurations, helping to improve the overall security of web applications.
- Performance Optimization: The tool can also detect performance issues, such as inefficient configuration settings, that can impact the performance of a web application.
- Extensible: Gixy is designed to be extensible, with the ability to add custom checks and rules to suit the specific needs of an organization.
- Open-Source: Gixy is an open-source project, allowing for community contributions and collaboration.
Cons
- Limited to Nginx: Gixy is specifically designed for Nginx configurations and does not support other web servers or application servers.
- Complexity: Configuring and using Gixy may require some technical expertise, as it involves understanding Nginx configuration syntax and the specific checks and rules implemented by the tool.
- Potential for False Positives: Like any static analysis tool, Gixy may sometimes report issues that are not actually problematic, requiring manual review and validation.
- Maintenance Overhead: Keeping Gixy up-to-date with the latest Nginx features and security best practices may require ongoing maintenance and updates.
Code Examples
N/A (Gixy is not a code library)
Getting Started
To get started with Gixy, follow these steps:
- Install Gixy using pip:
pip install gixy
- Run Gixy on your Nginx configuration file:
gixy /path/to/nginx.conf
Gixy will analyze the configuration file and report any issues it finds. You can customize the output format and the specific checks to be performed using command-line options:
gixy --format=json /path/to/nginx.conf
gixy --checks=security,performance /path/to/nginx.conf
-
Review the reported issues and make the necessary changes to your Nginx configuration to address them.
-
(Optional) Configure Gixy to run as part of your continuous integration or deployment process to catch issues early in the development lifecycle.
For more detailed information on using Gixy, including how to write custom checks and rules, please refer to the project's documentation.
Competitor Comparisons
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
Pros of OWASP/CheatSheetSeries
- Comprehensive collection of security best practices and guidelines
- Regularly updated to reflect the latest security trends and vulnerabilities
- Provides a valuable resource for developers, security professionals, and organizations
Cons of OWASP/CheatSheetSeries
- Less focused on automated security testing compared to Gixy
- May require more manual effort to apply the recommendations to specific projects
- Lacks the ability to integrate with CI/CD pipelines like Gixy
Code Comparison
Gixy (yandex/gixy):
def run(self, config):
"""
Run Gixy on the specified configuration.
"""
self.config = config
self.plugins = self.load_plugins()
self.results = []
for plugin in self.plugins:
self.results.extend(plugin.check(config))
return self.results
OWASP/CheatSheetSeries:
# Password Storage Cheat Sheet
# OWASP Recommendation
Use a modern, standardized, and widely-adopted key derivation function (KDF) such as Argon2, Bcrypt, or PBKDF2 with a work factor that is appropriate for your application's security requirements.
The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.
Pros of OWASP/wstg
- Comprehensive coverage of web application security testing guidelines
- Widely recognized and respected as an industry standard
- Regularly updated to keep pace with evolving security threats
Cons of OWASP/wstg
- Primarily focused on manual testing, less emphasis on automated tools
- Can be overwhelming for beginners due to the sheer volume of content
- May not provide in-depth technical guidance for specific vulnerabilities
Code Comparison
Gixy (yandex/gixy):
def check_nginx_config(config_file):
"""
Check Nginx configuration file for potential security issues.
"""
try:
with open(config_file, 'r') as f:
config = f.read()
except IOError:
return []
issues = []
# Perform various checks on the Nginx configuration
# ...
return issues
WSTG (OWASP/wstg):
def test_for_cross_site_scripting_vulnerabilities(url):
"""
Test a web application for cross-site scripting (XSS) vulnerabilities.
"""
try:
response = requests.get(url)
if '<script>' in response.text:
return 'XSS vulnerability found'
except requests.exceptions.RequestException:
return 'Error testing for XSS'
return 'No XSS vulnerability found'
The key differences are that Gixy is a tool focused on automated Nginx configuration analysis, while WSTG provides guidelines and recommendations for manual web application security testing, including the detection of XSS vulnerabilities.
Application Security Verification Standard
Pros of OWASP/ASVS
- Comprehensive security standard covering a wide range of web application security requirements
- Widely recognized and adopted in the security community
- Provides detailed guidance and best practices for secure software development
Cons of OWASP/ASVS
- Can be complex and time-consuming to fully implement
- May not be directly applicable to all types of web applications
- Requires significant effort and resources to maintain compliance
Code Comparison
OWASP/ASVS:
# Requirement 6.4.1: Verify that the application does not use insecure deserialization.
6.4.1 Verify that the application does not deserialize hostile or tampered objects supplied by an attacker.
yandex/gixy:
def check_insecure_deserialization(self, config):
"""
Checks for insecure deserialization vulnerabilities.
"""
if 'load' in config.directives:
self.add_issue(
'Insecure deserialization',
'Deserialization of untrusted data can lead to remote code execution.'
)
⚙️ NGINX config generator on steroids 💉
Pros of nginxconfig.io
- Provides a user-friendly web interface for generating NGINX configuration files, making it more accessible for non-technical users.
- Offers a wide range of pre-configured templates for common use cases, such as WordPress, Magento, and more.
- Generates downloadable configuration files that can be easily integrated into NGINX-based projects.
Cons of nginxconfig.io
- Focuses primarily on generating NGINX configurations, while Gixy provides a more comprehensive set of tools for analyzing and testing NGINX configurations.
- May not offer the same level of customization and flexibility as manually editing NGINX configuration files.
- Limited to NGINX-specific configurations, while Gixy can be used to analyze a broader range of web server configurations.
Code Comparison
Gixy (yandex/gixy):
def check_directive(self, directive, context):
"""
Check directive for issues.
:param directive: Directive object
:param context: Context object
:return: List of issues
"""
issues = []
for check in self.checks:
if check.applicable(directive, context):
issues.extend(check.check(directive, context))
return issues
nginxconfig.io (digitalocean/nginxconfig.io):
function generateConfig() {
const config = {
server: {
listen: '80',
server_name: 'example.com',
root: '/var/www/html',
index: 'index.php index.html',
// ...
}
};
// Generate NGINX configuration based on user input
return generateNginxConfig(config);
}
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
GIXY
Overview
Gixy is a tool to analyze Nginx configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.
Currently supported Python versions are 2.7, 3.5, 3.6 and 3.7.
Disclaimer: Gixy is well tested only on GNU/Linux, other OSs may have some issues.
What it can do
Right now Gixy can find:
- [ssrf] Server Side Request Forgery
- [http_splitting] HTTP Splitting
- [origins] Problems with referrer/origin validation
- [add_header_redefinition] Redefining of response headers by "add_header" directive
- [host_spoofing] Request's Host header forgery
- [valid_referers] none in valid_referers
- [add_header_multiline] Multiline response headers
- [alias_traversal] Path traversal via misconfigured alias
You can find things that Gixy is learning to detect at Issues labeled with "new plugin"
Installation
Gixy is distributed on PyPI. The best way to install it is with pip:
pip install gixy
Run Gixy and check results:
gixy
Usage
By default Gixy will try to analyze Nginx configuration placed in /etc/nginx/nginx.conf.
But you can always specify needed path:
$ gixy /etc/nginx/nginx.conf
==================== Results ===================
Problem: [http_splitting] Possible HTTP-Splitting vulnerability.
Description: Using variables that can contain "\n" may lead to http injection.
Additional info: https://github.com/yandex/gixy/blob/master/docs/ru/plugins/httpsplitting.md
Reason: At least variable "$action" can contain "\n"
Pseudo config:
include /etc/nginx/sites/default.conf;
server {
location ~ /v1/((?<action>[^.]*)\.json)?$ {
add_header X-Action $action;
}
}
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 1
Or skip some tests:
$ gixy --skips http_splitting /etc/nginx/nginx.conf
==================== Results ===================
No issues found.
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 0
Or something else, you can find all other gixy arguments with the help command: gixy --help
Docker usage
Gixy is available as a Docker image from the Docker hub. To use it, mount the configuration that you want to analyse as a volume and provide the path to the configuration file when running the Gixy image.
$ docker run --rm -v `pwd`/nginx.conf:/etc/nginx/conf/nginx.conf yandex/gixy /etc/nginx/conf/nginx.conf
If you have an image that already contains your nginx configuration, you can share the configuration with the Gixy container as a volume.
$ docker run --rm --name nginx -d -v /etc/nginx
nginx:alpinef68f2833e986ae69c0a5375f9980dc7a70684a6c233a9535c2a837189f14e905
$ docker run --rm --volumes-from nginx yandex/gixy /etc/nginx/nginx.conf
==================== Results ===================
No issues found.
==================== Summary ===================
Total issues:
Unspecified: 0
Low: 0
Medium: 0
High: 0
Contributing
Contributions to Gixy are always welcome! You can help us in different ways:
- Open an issue with suggestions for improvements and errors you're facing;
- Fork this repository and submit a pull request;
- Improve the documentation.
Code guidelines:
- Python code style should follow pep8 standards whenever possible;
- Pull requests with new plugins must have unit tests for it.
Top Related Projects
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.
Application Security Verification Standard
⚙️ NGINX config generator on steroids 💉
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot