search

wargio / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
305 stars 38 forks source link

Whitelist rule not respected (ARGS_VAR)? #50

Closed Napsty closed 2 years ago

Napsty commented 2 years ago

Probably more a question (once again) and probably not a bug. But I have this whitelist entry, covering multiple rules on a certain URI:

BasicRule wl:1000,1008-1011,1200,1205 "mz:$URL:/secure/AssignIssue!default.jspa|BODY";
BasicRule wl:1000,1008-1011,1200,1205 "mz:$URL:/secure/AssignIssue!default.jspa|BODY|NAME";
BasicRule wl:1000,1008-1011,1200,1205 "mz:$URL:/secure/AssignIssue!default.jspa|ARGS|NAME";

Yet there were still some blocks happening, here's the nx_util output:

# total_count:4 (12.9%), peer_count:1 (50.0%) | sql keywords
BasicRule wl:1000 "mz:$URL:/secure/AssignIssue!default.jspa|$ARGS_VAR:returnurl";

I thought that $ARGS_VAR is covered by ARGS|NAME? Or am I mistken?

wargio commented 2 years ago

it does, but is the equivalent of ARGS not ARGS|NAME https://github.com/nbs-system/naxsi/wiki/matchzones-bnf#match-zone

Napsty commented 2 years ago

So in this case I need to create an additional rule?

BasicRule wl:1000,1008-1011,1200,1205 "mz:$URL:/secure/AssignIssue!default.jspa|BODY";
BasicRule wl:1000,1008-1011,1200,1205 "mz:$URL:/secure/AssignIssue!default.jspa|BODY|NAME";
BasicRule wl:1000,1008-1011,1200,1205 "mz:$URL:/secure/AssignIssue!default.jspa|ARGS"; <-- new
BasicRule wl:1000,1008-1011,1200,1205 "mz:$URL:/secure/AssignIssue!default.jspa|ARGS|NAME";

I thought the rule would match both, as discussed in https://github.com/wargio/naxsi/issues/44#issuecomment-1304499527 ? Or is it the other way around?

wargio commented 2 years ago

just combine BODY|ARGS and avoid an additional line

wargio commented 2 years ago

Also 1008-1011 is an illegal identifier. https://github.com/nbs-system/naxsi/wiki/whitelists-bnf#whitelisted-id-wl

Napsty commented 2 years ago

just combine BODY|ARGS and avoid an additional line

will do, thanks again

Also 1008-1011 is illegal

Thanks for the hint! Config check didn't complain so I assumed this would work. ;-)

wargio commented 2 years ago

i think it took only 1008 as id.

Napsty commented 2 years ago

Using the new "ANY" match zone, could the following snippet:

BasicRule wl:1000,1008-1011,1200,1205 "mz:$URL:/secure/AssignIssue!default.jspa|BODY";
BasicRule wl:1000,1008-1011,1200,1205 "mz:$URL:/secure/AssignIssue!default.jspa|BODY|NAME";
BasicRule wl:1000,1008-1011,1200,1205 "mz:$URL:/secure/AssignIssue!default.jspa|ARGS"; <-- new
BasicRule wl:1000,1008-1011,1200,1205 "mz:$URL:/secure/AssignIssue!default.jspa|ARGS|NAME";

therefore be replaced with:

BasicRule wl:1000,1008-1011,1200,1205 "mz:$URL:/secure/AssignIssue!default.jspa|ANY";

?

wargio commented 2 years ago

yes., but as said before 1008-1011 is illegal.