nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Naxsi Whitelist Help #451

Closed tjosm closed 5 years ago

tjosm commented 5 years ago

I'm having trouble generating whitelist rules for an action on my site. I'm using nxutil to generate rules. But problem is there are some dynamic characters that I can't figure out how to whitelist.

This is the error, 2019/01/03 13:10:47 [error] 10637#10637: *5 NAXSI_FMT: ip=xx.xx.xx.xx&server=domain.com&uri=/indkobskurv/&learning=1&vers=0.56&total_processed=2&total_blocked=1&block=1&cscore0=$XSS&score0=16&zone0=BODY|NAME&id0=1310&var_name0=cart%5B6b39183e7053a0106e4376f4e9c5c74d%5D%5Bqty%5D&zone1=BODY|NAME&id1=1311&var_name1=cart%5B6b39183e7053a0106e4376f4e9c5c74d%5D%5Bqty%5D, client: 112.135.12.210, server: domain.com, request: "POST /indkobskurv/ HTTP/2.0", host: "domain.com", referrer: "https://domain.com/indkobskurv/"

And this is the whitelist rule generated by nxutil BasicRule wl:1310 "mz:$URL:/indkobskurv/|$BODY_VAR:cart[6b39183e7053a0106e4376f4e9c5c74d][qty]|NAME";

The problem is 6b39183e7053a0106e4376f4e9c5c74d. This is changing time to time. Need help whitelisting this.

Thanks!

jvoisin commented 5 years ago

What about something like BasicRule wl:1310 "mz:$URL:/indkobskurv/|$BODY_VAR_X:^cart\[[0-9a-f]\]\[qty\]|NAME"; ?

tjosm commented 5 years ago

Thanks for the quick reply @jvoisin. I tried adding above rule, but it doesn't appear to be working. I'm in the learning mode. The same error still gets recorded in the log.

buixor commented 5 years ago

@tjosm can you try

BasicRule wl:1310 "mz:$URL_X:^/indkobskurv/$|$BODY_VAR_X:^cart\[[0-9a-f]\]\[qty\]|NAME";

If you still have issues you can try to have something more generic such as BasicRule wl:1310 "mz:$BODY_VAR_X:^cart\[[0-9a-f]\]\[qty\]|NAME";