nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

LeadingMode enabled request still block #410

Closed vapao closed 6 years ago

vapao commented 6 years ago

This is my nginx configuration:

set $naxsi_extensive_log 1;
        location / {
                SecRulesEnabled;
                LearningMode;
                DeniedUrl "/418.html";
                CheckRule "$SQL >= 4" BLOCK;
                CheckRule "$XSS >= 4" BLOCK:
                CheckRule "$RFI >= 4" BLOCK;
                CheckRule "$TRAVERSAL >= 4" BLOCK:
                CheckRule "$EVADE >= 4" BLOCK;
                error_log logs/naxsi_www.abc.com.log;

                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host www.abc.com;
                proxy_pass http://127.0.0.1:8000;
        }

        location = /418.html {
                return 418;
        }

nginx access.log:

1.1.1.1 - - [11/Jan/2018:13:17:39 +0800] "POST /api/v2_5_6.php?r=passport/account HTTP/1.1" 418 0 "-" "okhttp/3.4.1"

naxsi error log:

2018/01/11 13:17:39 [error] 12655#0: *40483 NAXSI_EXLOG: ip=1.1.1.1&server=www.abc.com&uri=/api/v2_5_6.php&id=13&zone=BODY&var_name=&content=, client: 1.1.1.1, server: www.abc.com, request: "POST /api/v2_5_6.php?r=passport/account HTTP/1.1", host: "www.abc.com"
2018/01/11 13:17:39 [error] 12655#0: *40483 NAXSI_FMT: ip=1.1.1.1&server=www.abc.com&uri=/api/v2_5_6.php&learning=1&vers=0.55.3&total_processed=3&total_blocked=3&block=1&zone0=BODY&id0=13&var_name0=, client: 1.1.1.1, server: www.abc.com, request: "POST /api/v2_5_6.php?r=passport/account HTTP/1.1", host: "www.abc.com"

the naxsi error log has many logs, but only this request POST /api/v2_5_6.php?r=passport/account blocked and return 418, way ? please help

sabban commented 6 years ago

The NAXSI_FMT reports an id0=13 which means that the POST format is invalid. Haven't you tried to build a POST request with the GET format ?

vapao commented 6 years ago

My strange place is why block this request in leaning mode. this request is successful when i set SecRulesDisabled. now, i only can join this url to white list ?

sabban commented 6 years ago

You are always able to use a properly formatted POST request. Whitelisting the id=13, is a bad idea.

buixor commented 6 years ago

Hello @Yooke ! By default, learning-mode doesn't whitelist the internal rues (ids < 1000), you have to whitelist those explictely, as they usually mean that naxsi isn't able to parse the request and thus won't filter anything on the whitelisted scope :)

See : https://github.com/nbs-system/naxsi/wiki/internal-rules

cheers !

vapao commented 6 years ago

Thanks @buixor @sabban ! I understand. I'm sorry, asking such a simple question, i will read wiki again.