nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Libinjection block image #554

Closed vncloudsco closed 3 years ago

vncloudsco commented 3 years ago

we are being ridiculously blocked by this rules.

https://github.com/nbs-system/naxsi/blob/0395b102b7e9b5165e89e99bb62e9ddaa0a74910/naxsi_config/naxsi_core.rules#L13

GET /images/image-512.jpg HTTP/2
Host: x.com
Cookie: _ga=GA1.2.541213676.1617766672; _gat_gtag_UA_159151281_11=1; _gid=GA1.2.1515891125.1617766672; _gat_UA-67897836-97=1; _fbc=fb.1.1617766727730.IwAR2gm-qkXBWsmpyFw2atgrrAP0o3lbQJv5FHNmxkBjcStiAsei8omMbrot8; _fbp=fb.1.1617766727732.658755003; CMS_XCOOKIE=qtheadva1s348r00q4tr596lk4
Accept: image/webp,image/png,image/svg+xml,image/*;q=0.8,video/*;q=0.8,*/*;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_4_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 [FBAN/FBIOS;FBDV/iPhone8,2;FBMD/iPhone;FBSN/iOS;FBSV/14.4.2;FBSS/3;FBID/phone;FBLC/vi_VN;FBOP/5]
Accept-Language: vi-vn
Referer: https://x.com
Connection: close

my log block.


 
--
2021/04/07 14:22:12 [error] 1600#1600: *55895 NAXSI_FMT: ip=x.x.x.x&server=x.com&uri=/images/image-512.jpg&vers=1.3&total_processed=3711&total_blocked=87&config=block&cscore0=$LIBINJECTION_SQL&score0=8&zone0=HEADERS&id0=17&var_name0=accept, client: x.x.x.x, server: x.com, request: "GET /images/image-512.jpg HTTP/2.0", host: "x.com", referrer: "https://x.com/home"

I have tried to write whitelist rules for it as follows.

BasicRule wl:17 "mz:$HEADERS_VAR:accept|$URL:/images/image-512.jpg";

I noticed this whitelist rules didn't work. So how can I bypass this absurd blocking?

wargio commented 3 years ago

i would just whitelist BasicRule wl:17 "mz:$HEADERS_VAR:accept";

vncloudsco commented 3 years ago

@wargio I used the rule generator rules with tools but tools not working. why?

[root@Nasxi nxapi]# ./nxtool.py -c nxapi.json -s x.com -f --filter 'uri /images/image-512.jpg'
GET http://127.0.0.1:9200/ [status:200 request:0.009s]
# size :1000
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.013s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.012s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.005s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.004s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.004s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.003s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.003s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.012s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.005s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.004s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.007s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.004s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.011s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.004s]
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.004s]
#  template :tpl/APPS/google_analytics-ARGS.tpl 
Nb of hits : 0
#  template :tpl/ARGS/precise-id.tpl 
Nb of hits : 0
#  template :tpl/ARGS/site-wide-id.tpl 
Nb of hits : 0
#  template :tpl/ARGS/url-wide-id-NAME.tpl 
Nb of hits : 0
#  template :tpl/ARGS/url-wide-id.tpl 
Nb of hits : 0
#  template :tpl/BODY/precise-id.tpl 
Nb of hits : 0
#  template :tpl/BODY/site-wide-id.tpl 
Nb of hits : 0
#  template :tpl/BODY/url-wide-id-BODY-NAME.tpl 
Nb of hits : 0
#  template :tpl/BODY/url-wide-id.tpl 
Nb of hits : 0
#  template :tpl/BODY/var_name-wide-id.tpl 
Nb of hits : 0
#  template :tpl/HEADERS/cookies.tpl 
Nb of hits : 0
#  template :tpl/URI/global-url-0x_in_pircutres.tpl 
Nb of hits : 0
#  template :tpl/URI/site-wide-id.tpl 
Nb of hits : 0
#  template :tpl/URI/url-wide-id.tpl 
Nb of hits : 0

whether I did something wrong

[root@Nasxi nxapi]# curl -XPOST "http://localhost:9200/nxapi/events/_search?pretty" -d '{}'
{
  "took" : 59,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "failed" : 0
  },
  "hits" : {
    "total" : 2,
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "nxapi",
        "_type" : "events",
        "_id" : "AXivWK_NEk5NDrCyUpT7",
        "_score" : 1.0,
        "_source" : {
          "index" : { }
        }
      },
      {
        "_index" : "nxapi",
        "_type" : "events",
        "_id" : "AXivWK_NEk5NDrCyUpT8",
        "_score" : 1.0,
        "_source" : {
          "zone" : "HEADERS",
          "ip" : "x.x.x.x",
          "whitelisted" : "false",
          "uri" : "/images/image-512.jpg",
          "comments" : "import:2021-04-08 02:38:48.256569",
          "server" : "x.com",
          "content" : "",
          "var_name" : "accept",
          "country" : "",
          "date" : "2021-04-07T10:00:37+00",
          "id" : "17"
        }
      }
    ]
  }
}
vncloudsco commented 3 years ago

I solved the problem by making a copy HEADER tpl data

wargio commented 3 years ago

awesome