I ran a basic test with the following nginx config
user nginx;
worker_processes 1;
load_module /etc/nginx/modules/ngx_http_naxsi_module.so; # load naxsi
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/naxsi_core.rules; # load naxsi core rules
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name localhost;
location / {
SecRulesEnabled; #enable naxsi
LibInjectionSql; #enable libinjection support for SQLI
LibInjectionXss; #enable libinjection support for XSS
DeniedUrl "/RequestDenied"; #the location where naxsi will redirect the request when it is blocked
CheckRule "$SQL >= 8" BLOCK; #the action to take when the $SQL score is superior or equal to 8
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 5" BLOCK;
CheckRule "$UPLOAD >= 5" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
return 200 '{"message": "not blocked"}';
}
location /RequestDenied {
return 555 '{"message": "WAF block"}';
}
}
}
I tested the following curl requests against this config, testing versions 1.0, 1.1, 1.1a, 1.2, 1.3.
All versions of naxsi i tested blocked the POST and PUT request
But only version 1.0 blocked the PATCH request
curl -i -XPOST "http://127.0.0.1/" --data-raw '{"a":"select * from table1;"}'curl -i -XPUT "http://127.0.0.1/" --data-raw '{"a":"select * from table1;"}'curl -i -XPATCH "http://127.0.0.1/" --data-raw '{"a":"select * from table1;"}'
Is this expected behaviour? Am i missing something in the setup for the other versions?
Hi
Do versions 1.1, 1.1a, 1.2 and 1.3 support Parse body of PATCH requests which I believe was added here https://github.com/nbs-system/naxsi/pull/426
Following the setup guide here https://github.com/nbs-system/naxsi/wiki/naxsi-compile I have compiled naxsi has a dynamic modulele, but only version 1.0 seems to block
PATCH
request.I ran a basic test with the following nginx config
I tested the following
curl
requests against this config, testing versions1.0, 1.1, 1.1a, 1.2, 1.3
. All versions of naxsi i tested blocked thePOST
andPUT
request But only version1.0
blocked thePATCH
requestcurl -i -XPOST "http://127.0.0.1/" --data-raw '{"a":"select * from table1;"}'
curl -i -XPUT "http://127.0.0.1/" --data-raw '{"a":"select * from table1;"}'
curl -i -XPATCH "http://127.0.0.1/" --data-raw '{"a":"select * from table1;"}'
Is this expected behaviour? Am i missing something in the setup for the other versions?