Despite the official statement that "Naxsi filters only GET and POST requests" I have been able to perform a basic experiment observing that PUT and DELETE (as well as HEAD and OPTIONS) are filtered as expected. PATCH seems to be an exception though, and isn't filtered based on its body contents. Is this something that can be fixed?
In more detail, I modified the hex encoding rule to be MainRule "str:0x" "msg:0x, possible hex encoding" "mz:RAW_BODY|BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:DROP" id:1002; and removed a majority of the other rules. I then issued the following request: curl --request PATCH -d '{"test":"0x"}' localhost and saw Naxsi allow the request to pass to the backend. The request curl --request PATCH -d '{"test":"abc"}' localhost/0x was correctly blocked however, indicating there is some basic support for the PATCH method.
Despite the official statement that "Naxsi filters only
GET
andPOST
requests" I have been able to perform a basic experiment observing thatPUT
andDELETE
(as well asHEAD
andOPTIONS
) are filtered as expected. PATCH seems to be an exception though, and isn't filtered based on its body contents. Is this something that can be fixed?In more detail, I modified the hex encoding rule to be
MainRule "str:0x" "msg:0x, possible hex encoding" "mz:RAW_BODY|BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:DROP" id:1002;
and removed a majority of the other rules. I then issued the following request:curl --request PATCH -d '{"test":"0x"}' localhost
and saw Naxsi allow the request to pass to the backend. The requestcurl --request PATCH -d '{"test":"abc"}' localhost/0x
was correctly blocked however, indicating there is some basic support for the PATCH method.