This extension detects NGINX alias traversal due to misconfiguration.

The technique is based on Orange Tsai's BlackHat USA 2018 Presentation

A server is assumed to be vulnerable if a request to an existing path like https://example.com/static../ returns the same response as https://example.com/. To eliminate false positives the misconfiguration has to be confirmed by successfully requesting an existing resource via path traversal. This is done as follows:

For the URL https://example.com/folder1/folder2/static/main.css it generates the following links:

https://example.com/folder1../folder1/folder2/static/main.css
https://example.com/folder1../%s/folder2/static/main.css
https://example.com/folder1/folder2../folder2/static/main.css
https://example.com/folder1/folder2../%s/static/main.css
https://example.com/folder1/folder2/static../static/main.css
https://example.com/folder1/folder2/static../%s/main.css

Where %s are common directories used in alias paths based on around 9500 nginx configuration files from GH (thanks @TomNomNom), see directories.txt.