nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Match multiple BODY_VAR #380

Closed chepurko closed 7 years ago

chepurko commented 7 years ago

I am trying to whitelist some rules (1310,1311) in WordPress to let Jetpack infinite scroll work. The problem is there is a whole bunch of URL params to match. See image:

screenshot from 2017-05-27 18-36-50

I don't just want to allow "mz:$BODY_VAR:scripts[]|NAME", I want to allow "mz:$URL:/|$BODY_VAR:infinity|$BODY_VAR:scripts[]|NAME", but this results in the error

[emerg] 214#214: whitelist can't target more than one BODY item..

So is there a way to target parameter names with square brackets only when the parameter ?infinity=scrolling is present?

If I just do "mz:$BODY_VAR:infinity|NAME" this also doesn't match because there aren't any square brackets in that query anyway...

chepurko commented 7 years ago

I would AND it with a URL zone, but the problem is infinite scrolling works on the homepage as well as all other places with the blogroll. So I believe the URL zone doesn't do me any good here.

I also thought I'd be able to just match the URL /?infinity=scrolling as this is the request showing up in the NAXSI logs:

2017/05/27 15:53:12 [error] 198#198: *17497 NAXSI_FMT: ... request: "POST /?infinity=scrolling HTTP/1.1"...

But obviously the URL zone is for everything before the question mark.

buixor commented 7 years ago

Hello,

I don't just want to allow "mz:$BODY_VAR:scripts[]|NAME", I want to allow "mz:$URL:/|$BODY_VAR:infinity|$BODY_VAR:scripts[]|NAME", but this results in the error

"mz:$URL:/|$BODY_VAR:scripts[]|NAME" seems to be the correct syntax :)

So is there a way to target parameter names with square brackets only when the parameter ?infinity=scrolling is present? : unfortunately no :(

If you are running into trouble, please submit a naxsi_fmt :)