nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Only enable internal rules #500

Closed tmanninger closed 11 months ago

tmanninger commented 4 years ago

Hi,

i will only enable the internal rules (ids 1-18) in the naxsi_core.rules

My configuration file:

MainRule "msg:weird request, unable to parse" id:1; MainRule "msg:request too big, stored on disk and not parsed" id:2; MainRule "msg:invalid hex encoding, null bytes" id:10; MainRule "msg:unknown content-type" id:11; MainRule "msg:invalid formatted url" id:12; MainRule "msg:invalid POST format" id:13; MainRule "msg:invalid POST boundary" id:14; MainRule "msg:invalid JSON" id:15; MainRule "msg:empty POST" id:16; MainRule "msg:libinjection_sql" id:17; MainRule "msg:libinjection_xss" id:18;

But all internal rules are ignored, this http request is working without any naxsi error (invalid json request):

curl --header "Content-Type: application/json" --request POST --data '{"username":"xyz","password":"xyz"}aaaa' 'https://hostname'

If i add some other role, like below, then the internal rules are working:

MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;

Now this request is blocked by naxsi (json validatin failed):

curl --header "Content-Type: application/json" --request POST --data '{"username":"xyz","password":"xyz"}aaaa' 'https://hostname'

my configuration in the server section:

CheckRule "$GENERIC >= 3" BLOCK; CheckRule "$SQL >= 8" BLOCK; CheckRule "$RFI >= 8" BLOCK; CheckRule "$TRAVERSAL >= 4" BLOCK; CheckRule "$EVADE >= 4" BLOCK; CheckRule "$XSS >= 8" BLOCK; DeniedUrl /NaxsiDenied;

LearningMode ;

SecRulesEnabled

is this the expected behavior or a bug?

Regards, Thomas

wargio commented 4 years ago

i actually never tried this. so i really don't know how to help. i'll give a look deeply in the code, to see if this is actually a bug or a configuration issue. for now i'll still tag this as a bug.

I'm really sorry for not being able to help you with this.

wargio commented 4 years ago

ok, by looking to the code, looks like the main rules

MainRule "msg:weird request, unable to parse" id:1;
MainRule "msg:request too big, stored on disk and not parsed" id:2;
MainRule "msg:invalid hex encoding, null bytes" id:10;
MainRule "msg:unknown content-type" id:11;
MainRule "msg:invalid formatted url" id:12;
MainRule "msg:invalid POST format" id:13;
MainRule "msg:invalid POST boundary" id:14;
MainRule "msg:invalid JSON" id:15;
MainRule "msg:empty POST" id:16;
MainRule "msg:libinjection_sql" id:17;
MainRule "msg:libinjection_xss" id:18;

are implicit. in order to have a minimal config you need at least 1 line of config. so i can confirm this is a bug.

my suggestion is to try to have only this as config (yes as comments):

#@MainRule "msg:weird request, unable to parse" id:1;
#@MainRule "msg:request too big, stored on disk and not parsed" id:2;
#@MainRule "msg:invalid hex encoding, null bytes" id:10;
#@MainRule "msg:unknown content-type" id:11;
#@MainRule "msg:invalid formatted url" id:12;
#@MainRule "msg:invalid POST format" id:13;
#@MainRule "msg:invalid POST boundary" id:14;
#@MainRule "msg:invalid JSON" id:15;
#@MainRule "msg:empty POST" id:16;
#@MainRule "msg:libinjection_sql" id:17;
#@MainRule "msg:libinjection_xss" id:18;
tmanninger commented 4 years ago

the configuration with only the comments are also not working, the invalid json request is not blocked.

wargio commented 4 years ago

hmm thanks for testing this. This is definitely a bug on an edge use case.

tmanninger commented 4 years ago

thanks for feedback! What does mean the "@" after the comment?