nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Naxsi rule to detect HEAD request_method #347

Closed C0nw0nk closed 7 years ago

C0nw0nk commented 7 years ago

So i want to block and not allow HEAD request methods with NAXSI

In Nginx it is as simple as this to block HEAD requests

if ($request_method = HEAD) {
return 412;
}

Isit possible to do it with Naxsi instead of Nginx's if function.

Also I am very curious does Naxsi even process or check that a HEAD request method is safe. If someone sends a User-Agent in a HEAD request that a POST or GET request would have detected and blocked, because HEAD requests get passed to back end processes like PHP,Python etc doesn't that mean if Naxsi does not check or process HEAD requests that is the hackers backdoor to send header based exploits / attacks that should otherwise be blocked via Rules to the back end processes.

Would render Naxsi useless as a firewall since the risk and potential to bypass is to not send your exploit in GET requests but to insert it in a HEAD request and fly right under Naxsi's nose.

Another main difference between Naxsi and other WAFs, Naxsi filters only GET and POST requests,

Based of what the Documentation / readme file quote above says, I think anyone using Naxsi that does not block HEAD requests etc should do so using the Nginx code i put bellow.

## Only allow these request methods any other request methods will be blocked since Naxsi does not check them and could be a hackers method to bypass the firewall ##
if ($request_method !~ ^(GET|POST)$ ) {
return 412;
}

Put the code into what ever locations in Nginx you are having Naxsi keep secure. Where ever you have "SecRulesEnabled;".

C0nw0nk commented 7 years ago

A fantastic example I can think of is PHP Object Injection execution (remote code) in a User-Agent HEAD request that Naxsi would not detect and would be game over for PHP back end processes.

The same applies for other request methods that have the potential to bypass Naxsi on locations. https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Request_methods

Looking forward to some input about this issue.

buixor commented 7 years ago

Hello,

Naxsi will process headers and URI for HEAD methods [1] :)

However, naxsi does not offer any way to filter the HTTP VERB used, so I'm afraid you will have to stick to your nginx trick for now.

[1]

MainRule "id:4241" negative "s:DROP" "rx:^/rest/" "mz:URL";

$ curl -I localhost:4242/zzz/
HTTP/1.1 512 

MainRule "id:4242" "s:DROP" "rx:lololol" "mz:HEADERS";

$ curl -I -H "foo: lololol" localhost:4242/rest/
HTTP/1.1 512 
C0nw0nk commented 7 years ago

That's ok I don't have any requirement for any other request types other than GET and POST but perhaps other people do.