Reverse Proxy Misconfig Checklist Goal Identify whether proxy and backend behavior create trust-boundary bugs, parser confusion, header abuse, or unintended routing exposure. Assumptions one or more reverse proxies, CDNs, or load balancers sit in front of the app headers may be added, stripped, or trusted inconsistently proxy/backend parsing differences can create security issues Prerequisites visibility into requests and responses ability to send crafted headers and observe behavior rough understanding of the request chain Recon steps Identify all request hops if possible. Compare externally visible behavior with backend expectations. Record proxy-added headers and route behaviors. Exploit / test steps Test header trust: X-Forwarded-For, X-Real-IP, host-related headers. Observe whether direct backend access also exists. Check routing and path normalization differences. Probe for request parsing ambiguity where appropriate. Inspect health, debug, or alternate virtual host exposure. Validation clues attacker-controlled forwarding headers influence security decisions proxy and backend disagree on request interpretation backends are reachable directly outside the intended front door hidden paths or routing behaviors appear through proxy quirks Mitigation define a clear trusted proxy boundary normalize or reject ambiguous requests restrict direct backend exposure centralize and review forwarding/header trust policy patch and test the whole chain consistently Logging / detection unexpected forwarding-header values malformed request patterns traffic bypassing expected entrypoints inconsistencies between edge and backend logs Related notes reverse-proxies request-smuggling client-ip-trust load-balancers References Testing / Lab: PortSwigger request smuggling topic — https://portswigger.net/web-security/request-smuggling Research / Deep Dive: PortSwigger Research — https://portswigger.net/research Foundational: MDN HTTP messages — https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Messages ← PreviousInvestigate SSRFNext →Run External Recon Scan Pipeline Explore nearby notes Security PlaybooksBreak JWT ValidationIdentify whether JWT handling is weak enough to allow acceptance of invalid, stale, mis-scoped, or attacker-influenced tokens. Security PlaybooksDetect DCSync and ntds.dit AccessDetect both forms of bulk Active Directory credential extraction — **DCSync** (IDL_DRSGetNCChanges via the DRSUAPI RPC interface) and **offline ntds.dit... Security PlaybooksDetect External Recon Scan PipelineDetect an external operator running a two-phase Masscan → Nmap-NSE recon pipeline (the offense playbook run-scan-pipeline) against your perimeter, with high enough... Security PlaybooksDetect Kerberoasting and AS-REP RoastingDetect both Active Directory Kerberos credential-attack families (Kerberoasting and AS-REP Roasting) via behavioral analysis on Event IDs 4768/4769 and... Security PlaybooksExploit IDORDetermine whether object identifiers can be manipulated to access another user's data or actions. Security PlaybooksExploit SQL InjectionDetermine whether user-controlled input can alter SQL query logic in a way that changes access, data, or behavior.