nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

HTTP PATCH request method support for versions > 1.0 #539

Closed seffyB closed 2 years ago

seffyB commented 3 years ago

Hi

Do versions 1.1, 1.1a, 1.2 and 1.3 support Parse body of PATCH requests which I believe was added here https://github.com/nbs-system/naxsi/pull/426

Following the setup guide here https://github.com/nbs-system/naxsi/wiki/naxsi-compile I have compiled naxsi has a dynamic modulele, but only version 1.0 seems to block PATCH request.

I ran a basic test with the following nginx config

user  nginx;
worker_processes  1;

load_module /etc/nginx/modules/ngx_http_naxsi_module.so; # load naxsi

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include /etc/nginx/naxsi_core.rules; # load naxsi core rules
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;

    keepalive_timeout  65;

    server {
      listen       80;
      server_name  localhost;

      location / {
        SecRulesEnabled; #enable naxsi
        LibInjectionSql; #enable libinjection support for SQLI
        LibInjectionXss; #enable libinjection support for XSS

        DeniedUrl "/RequestDenied"; #the location where naxsi will redirect the request when it is blocked
        CheckRule "$SQL >= 8" BLOCK; #the action to take when the $SQL score is superior or equal to 8
        CheckRule "$RFI >= 8" BLOCK;
        CheckRule "$TRAVERSAL >= 5" BLOCK;
        CheckRule "$UPLOAD >= 5" BLOCK;
        CheckRule "$XSS >= 8" BLOCK;

        return 200 '{"message": "not blocked"}';
    }

    location /RequestDenied {
      return 555 '{"message": "WAF block"}';
    }
}
}

I tested the following curl requests against this config, testing versions 1.0, 1.1, 1.1a, 1.2, 1.3. All versions of naxsi i tested blocked the POST and PUT request But only version 1.0 blocked the PATCH request

curl -i -XPOST "http://127.0.0.1/" --data-raw '{"a":"select * from table1;"}' curl -i -XPUT "http://127.0.0.1/" --data-raw '{"a":"select * from table1;"}' curl -i -XPATCH "http://127.0.0.1/" --data-raw '{"a":"select * from table1;"}'

Is this expected behaviour? Am i missing something in the setup for the other versions?

wargio commented 3 years ago

no. probably is a regression.

wargio commented 3 years ago

i can confirm the wrong behavior. i would have caught this before, but there was no test on this.