nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Question about naxsi POST request behaviour #395

Closed nadzree closed 7 years ago

nadzree commented 7 years ago

I'm trying to understand the behaviour of naxsi as a WAF. It works great on the GET request however when I tried a sample of SQLi:

1' OR 1=1--

In the POST request, it did not block. Is this a normal behaviour or did I wrongly setup naxsi?

nadzree commented 7 years ago

Noted on the invalid. Figured out that I can add the pattern in the based rule to suit my case

buixor commented 7 years ago

Sorry for the close without justification, was just doing some cleanup. If you read a bit about naxsi, you will quickly see it's a whitelist based mecanism and without training it won't give any results. If you want OOB SQLi killer or things like this, it's probably not the tool you are looking for :)

nadzree commented 7 years ago

Hi buixor, understant it now. Thank you for further explaination 👍