search

wargio / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
305 stars 38 forks source link

The file parameter content has been encoded and there are no https://fields. Why is it still recorded by the 1101 rule #113

Open huanxiren0 opened 12 months ago

huanxiren0 commented 12 months ago 
2023/09/19 22:21:18 [error] 8183#0: *5105773 NAXSI_FMT: ip=yy.yy.yy.yy&server=localhost&uri=/static/html/pdf/web/viewer.html&vers=1.3&total_processed=17&total_blocked=17&config=learning&cscore0=$XSS&score0=336&cscore1=$RFI&score1=8&zone0=HEADERS&id0=1315&var_name0=cookie&zone1=ARGS&id1=1101&var_name1=file, client: yy.yy.yy.yy, server: localhost, request: "GET /static/html/pdf/web/viewer.html?file=https%3A%2F%2Fzz.domain.com%2Fstatic%2Ffundresfiles%2Fdiscfile%2F012708%2FCN_50870000_012708_FA010080_20230002_012708_20230612_090000_01.pdf HTTP/1.0", host: "localhost:9999", referrer: "http://xx.xx.xx.xx:8080/static/h5/mobile/fundTrade/fundTrade.html"
2023/09/19 22:21:18 [error] 8183#0: *5105773 NAXSI_FMT: ip=yy.yy.yy.yy
server=localhost
uri=/static/html/pdf/web/viewer.html
vers=1.3
total_processed=17
total_blocked=17
config=learning
cscore0=$XSS
score0=336
cscore1=$RFI
score1=8
zone0=HEADERS
id0=1315
var_name0=cookie
zone1=ARGS
id1=1101
var_name1=file, client: yy.yy.yy.yy, server: localhost, request: "GET /static/html/pdf/web/viewer.html?file=https%3A%2F%2Fzz.domain.com%2Fstatic%2Ffundresfiles%2Fdiscfile%2F012708%2FCN_50870000_012708_FA010080_20230002_012708_20230612_090000_01.pdf HTTP/1.0", host: "localhost:9999", referrer: "http://xx.xx.xx.xx:8080/static/h5/mobile/fundTrade/fundTrade.html"
wargio commented 12 months ago

Can't say since you are using version 1.3, please upgrade to 1.6 since it fixes many bugs that are affecting utf8 with chinese characters.

I don't know what you have in the cookies but it seems to trigger by a lot the rule 1315. I can't provide more support since the version is obsolete and you only provided one log line.

As advice, i strongly suggest to switch to json output for logging. much simpler to read and parse.

wargio commented 12 months ago

Rules triggered