OAuth CDN Developer Console nginx/1.19.10
merge_slashes off host oauth.techgiant.com
📡 Requests
🔬 Vulnerability Info

CVE: N/A (Config issue)

Impact: Path traversal → arbitrary file read

Version: nginx 1.19.x

Setting: merge_slashes off;

📖 nginx docs →

⚡ OAuth CDN — Static Asset Server

This is a simulation of a Tech Giant's OAuth CDN server running nginx 1.19.10 with merge_slashes off;. Click any request in the sidebar to see how the vulnerability works.

✅ Normal
📦
Static assets served normally
200 OK
🔒 Blocked
🛡️
Normal traversal blocked by nginx
400 Bad Request
⚡ Exploit
🚀
Multi-slash bypasses normalization
200 OK + File Contents
🔓 How the Nginx merge_slashes Vulnerability Works

When merge_slashes is set to off (default is on), nginx does not collapse consecutive slash characters (////).

This allows an attacker to craft a URL like:
GET ///////../../../etc/passwd HTTP/1.1

The multiple slashes prevent nginx from matching the location /static/ block normally, and when merge_slashes is off, the path traversal sequences (../) are not normalized away — they reach the backend filesystem intact.