nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Question | Directory URL / formats allowing access only (whitelist approach) #339

Closed C0nw0nk closed 7 years ago

C0nw0nk commented 7 years ago

So here is a rule I would like to try and make possible it is just a bit complex to get down on my own.

Example URL formats to be whitelisted while denying all the others

/url/url
/url/url/
/url/url.html
/url
/url&args
/url?args&moreargs=lol
/url/index
/index.html
/url/index.html
/index.php
/index.php?args&search=lol
/index.html?args
/url.html?args&search=lol
url/url.html?args&search=lol
/url/url.html?args&search=lol

I guess if it is not a php, html or a / link to disallow it. (No reason why people should be trying to access url formats and directories that are not accepted / don't exist.)

The reason the URL's are like this is because some are SEF (search engine friendly) URL's while others are not.

What I came up with so far.

MainRule negative "rx:\.(html|php)" "msg:Block access to any URL format other than those whitelisted" "mz:URL" "s:$UWA:8" id:1600;

Unfortunately this rule won't be to friendly since ".php5" ".htmlanything" etc will be accepted even though they don't exist and should be blocked, I also believe this won't like url's that don't contain the .php or .html format so a non existent file type like the following example.

/url/
/
/url
/url&args
/url?args

Those will be blocked when I want them allowed.

Any help / advice is much appreciated <3 :) It might be impossible.

buixor commented 7 years ago

Hello,

not sure to exactly get what you are trying to achieve, but regarding this :

MainRule negative "rx:\.(html|php)" "msg:Block access to any URL format other than those whitelisted" "mz:URL" "s:$UWA:8" id:1600;

if you don't want this to allow .php5 or .htmlsomething, you can just change it like this :

MainRule negative "rx:\.(html|php)$" "msg:Block access to any URL format other than those whitelisted" "mz:URL" "s:$UWA:8" id:1600;
C0nw0nk commented 7 years ago

Yea but if I do that it blocks URL's in this format working

/url/
/url.html?stuff&morestuff=etc
/url.php?stuff&morestuff=extrastuff&stuffing

In a nutshell I just want to prevent URL probing of links / formats that are invalid or don't exist.

buixor commented 7 years ago

It shouldn't match /url.html?stuff&morestuff=etc or /url.php?stuff&morestuff=extrastuff&stuffing but it won't block probing :/

C0nw0nk commented 7 years ago

In the regex $ is for the end so anything that comes after that should be blocked right ?

MainRule negative "rx:\.(html|php)$" "msg:Block access to any URL format other than those whitelisted" "mz:URL" "s:$UWA:8" id:1600;

So a URL that ends with query strings or arguments will be accepted or blocked ?, To me it looks like those URL's with arguments will be blocked since there is noting in the regex to accept those formats.

And then ofcourse URL's that are search engine friendly


/url/
/url
/url#div-id-number
/url&stuff=stuffed&stuffing=stuffs
buixor commented 7 years ago

URL is different from GET args. URL stops before "?"

C0nw0nk commented 7 years ago

I see now that makes sense. In that case the only problem that could remain is URL's that have no format being search engine friendly how do I include these types into that regex.

/url/url
/url/url/
/url/
/url
/
buixor commented 7 years ago

"rx:^/[a-z/]+/$" should work :) starts with a slash, ends with a slash, is composed of a-z

C0nw0nk commented 7 years ago

Thanks :D wouldn't that be a separate rule how do I combine both of them into a single rule ? <3

MainRule negative "rx:\.(html|php)$" "msg:Block access to any URL format other than those whitelisted" "mz:URL" "s:$UWA:8" id:1600;
MainRule negative "rx:^/[a-zA-Z0-9/]+/$" "msg:Block access to any URL format other than those whitelisted" "mz:URL" "s:$UWA:8" id:1600;

I am still learning but this place helps allot. http://spike.nginx-goodies.com/rules/

buixor commented 7 years ago

For this kind of things, I think it's better to keep separate rules :) You could do it in one rule, but it's more regex related.