⌘K
ENES
GitHub
playbookSecurity Playbooks~1 min readUpdated Apr 23, 2026

Reverse Proxy Misconfig Checklist

Goal

Identify whether proxy and backend behavior create trust-boundary bugs, parser confusion, header abuse, or unintended routing exposure.

Assumptions

  • one or more reverse proxies, CDNs, or load balancers sit in front of the app
  • headers may be added, stripped, or trusted inconsistently
  • proxy/backend parsing differences can create security issues

Prerequisites

  • visibility into requests and responses
  • ability to send crafted headers and observe behavior
  • rough understanding of the request chain

Recon steps

  1. Identify all request hops if possible.
  2. Compare externally visible behavior with backend expectations.
  3. Record proxy-added headers and route behaviors.

Exploit / test steps

  1. Test header trust: X-Forwarded-For, X-Real-IP, host-related headers.
  2. Observe whether direct backend access also exists.
  3. Check routing and path normalization differences.
  4. Probe for request parsing ambiguity where appropriate.
  5. Inspect health, debug, or alternate virtual host exposure.

Validation clues

  • attacker-controlled forwarding headers influence security decisions
  • proxy and backend disagree on request interpretation
  • backends are reachable directly outside the intended front door
  • hidden paths or routing behaviors appear through proxy quirks

Mitigation

  • define a clear trusted proxy boundary
  • normalize or reject ambiguous requests
  • restrict direct backend exposure
  • centralize and review forwarding/header trust policy
  • patch and test the whole chain consistently

Logging / detection

  • unexpected forwarding-header values
  • malformed request patterns
  • traffic bypassing expected entrypoints
  • inconsistencies between edge and backend logs

References

  • Testing / Lab: PortSwigger request smuggling topic — https://portswigger.net/web-security/request-smuggling
  • Research / Deep Dive: PortSwigger Research — https://portswigger.net/research
  • Foundational: MDN HTTP messages — https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Messages

Explore nearby notes

Security PlaybooksBreak JWT ValidationIdentify whether JWT handling is weak enough to allow acceptance of invalid, stale, mis-scoped, or attacker-influenced tokens. Security PlaybooksDetect BloodHound Collection_Playbook structure (Goal / Assumptions / Prerequisites / Detection steps / Validation clues / Mitigation / Logging / Operational safety), matching the trio... Security PlaybooksDetect DCSync and ntds.dit AccessDetect both forms of bulk Active Directory credential extraction — **DCSync** (IDL_DRSGetNCChanges via the DRSUAPI RPC interface) and **offline ntds.dit... Security PlaybooksDetect External Recon Scan PipelineDetect an external operator running a two-phase Masscan → Nmap-NSE recon pipeline (the offense playbook run-scan-pipeline) against your perimeter, with high enough... Security PlaybooksDetect Kerberoasting and AS-REP RoastingDetect both Active Directory Kerberos credential-attack families (Kerberoasting and AS-REP Roasting) via behavioral analysis on Event IDs 4768/4769 and... Security PlaybooksExploit IDORDetermine whether object identifiers can be manipulated to access another user's data or actions.