nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Whitelist rules for ARGS not applied to parameter names (it seems) #592

Closed holstvoogd closed 2 years ago

holstvoogd commented 2 years ago

I've been testing naxsi for our new proxies, but am running into an issue with whitelisting some stuff. I am probably misunderstanding something, but I can't get my whitelist rules for ARGS to work.

I use the basic core rules and added have the following config in my location block:

SecRulesEnabled;
DeniedUrl /NaxsiDenied

CheckRule "$SQL >= 10" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

# allows [ and ] in the URL arguments
BasicRule wl:1310 "mz:ARGS";
BasicRule wl:1311 "mz:ARGS";

Now if I do a request with [ ] in a get variable, so for instance localhost/foo?param[bar]=baz it blocks that based on Main rules 1310 & 1311:

[error] 36#36: *46 NAXSI_FMT: ip=10.1.0.6&server=localhost&uri=/foo&vers=1.3&total_processed=1&total_blocked=1&config=block&cscore0=$XSS&score0=8&zone0=ARGS|NAME&id0=1310&var_name0=param%5Barg%5D&zone1=ARGS|NAME&id1=1311&var_name1=param%5Barg%5D, client: 10.1.0.6, server: localhost, request: "HEAD /foo?param[arg]=123 HTTP/1.1", host: "localhost"

If I change the basic rules and add |NAME to ARGS, it works as expected.

What am I doing wrong here? Do I need to white list for ARGS & ARGS|NAME seperatly?

wargio commented 2 years ago
BasicRule wl:1310,1311 "mz:ARGS";
BasicRule wl:1310,1311 "mz:ARGS|NAME";
holstvoogd commented 2 years ago

Cool, tnx.