nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Route GET /favicon triggers XSS rule for no apparent reason #496

Closed Docteur-RS closed 11 months ago

Docteur-RS commented 4 years ago

Hey,

For some reason Naxsi is blocking the call to /favicon when accessing Gitlab.
The only thing that works is to deactivate the rule (1315) that is triggerd.


server {
    listen 443 ssl;
    server_name usinelog_temp;
    ssl_certificate /usr/share/nginx/certificates/fullchain.pem;
    ssl_certificate_key /usr/share/nginx/certificates/privkey.pem;
    include /etc/ssl-options/options-nginx-ssl.conf;
    ssl_dhparam /etc/ssl-options/ssl-dhparams.pem;
    location / {
        SecRulesEnabled;
        #LearningMode;
        DeniedUrl "/denied";
        CheckRule "$SQL >= 8" BLOCK;
        CheckRule "$RFI >= 8" BLOCK;
        CheckRule "$TRAVERSAL >= 4" BLOCK;
        CheckRule "$EVADE >= 4" BLOCK;
        CheckRule "$XSS >= 8" BLOCK;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://xx.xx.xx.xx;
    }
}

I added BasicRule wl:1315; to pause the rule and now its working.

But I would like to know what I'm doing wrong and how to make this working.

Thx

wargio commented 4 years ago

Looks like there is a parameter in that specific header that is interpret as MainRule "rx:%[2|3]." "msg:double encoding !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315;.

Check your headers.