Closed C0nw0nk closed 7 years ago
A fantastic example I can think of is PHP Object Injection execution (remote code) in a User-Agent HEAD request that Naxsi would not detect and would be game over for PHP back end processes.
The same applies for other request methods that have the potential to bypass Naxsi on locations. https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Request_methods
Looking forward to some input about this issue.
Hello,
Naxsi will process headers and URI for HEAD methods [1] :)
However, naxsi does not offer any way to filter the HTTP VERB used, so I'm afraid you will have to stick to your nginx trick for now.
[1]
MainRule "id:4241" negative "s:DROP" "rx:^/rest/" "mz:URL";
$ curl -I localhost:4242/zzz/
HTTP/1.1 512
MainRule "id:4242" "s:DROP" "rx:lololol" "mz:HEADERS";
$ curl -I -H "foo: lololol" localhost:4242/rest/
HTTP/1.1 512
That's ok I don't have any requirement for any other request types other than GET and POST but perhaps other people do.
So i want to block and not allow HEAD request methods with NAXSI
In Nginx it is as simple as this to block HEAD requests
Isit possible to do it with Naxsi instead of Nginx's if function.
Also I am very curious does Naxsi even process or check that a HEAD request method is safe. If someone sends a User-Agent in a HEAD request that a POST or GET request would have detected and blocked, because HEAD requests get passed to back end processes like PHP,Python etc doesn't that mean if Naxsi does not check or process HEAD requests that is the hackers backdoor to send header based exploits / attacks that should otherwise be blocked via Rules to the back end processes.
Would render Naxsi useless as a firewall since the risk and potential to bypass is to not send your exploit in GET requests but to insert it in a HEAD request and fly right under Naxsi's nose.
Based of what the Documentation / readme file quote above says, I think anyone using Naxsi that does not block HEAD requests etc should do so using the Nginx code i put bellow.
Put the code into what ever locations in Nginx you are having Naxsi keep secure. Where ever you have "SecRulesEnabled;".