search

wargio / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
306 stars 38 forks source link

Testing whitelist rules with ANY match zone #56

Closed Napsty closed 2 years ago

Napsty commented 2 years ago

Thanks for having added the ANY match zone, which can be combined with either mz:$URL: or mz:$URL_X: according to https://github.com/wargio/naxsi/commit/5c933690de0b1325376aa9d57c2624de441ad809#diff-c255b088a4dee2f1282d1dccd609ed178431d1fa74815571342c6be2cde11cbcR196

However I'm having troubles getting this to work.

WL rule:

BasicRule wl:1000 "mz:$URL:/|ANY";

Request:

$ curl "http://192.168.15.187/?id=)union%27select" -I
HTTP/1.1 418 
Server: nginx/1.18.0
Date: Sat, 19 Nov 2022 10:20:33 GMT
Content-Length: 0
Connection: keep-alive

Error log:

2022/11/19 10:20:33 [error] 22103#22103: *25 NAXSI_FMT: ip=192.168.15.20&server=192.168.15.187&uri=/&config=block&rid=b35f05072a781c60fc5356db4b272717&cscore0=$SQL&score0=8&zone0=ARGS&id0=1000&var_name0=id, client: 192.168.15.20, server: _, request: "HEAD /?id=)union%27select HTTP/1.1", host: "192.168.15.187"

If I change the WL rule to the following (using ARGS instead of ANY):

BasicRule wl:1000 "mz:$URL:/|ARGS";

When I launch the same curl request, the id 1000 is not blocked anymore (naxsi now blocks an additional ID 1011).

2022/11/19 10:23:40 [error] 22129#22129: *26 NAXSI_FMT: ip=192.168.15.20&server=192.168.15.187&uri=/&config=block&rid=056a1eb34e5d61c0917d1f869074ef41&cscore0=$SQL&score0=4&cscore1=$XSS&score1=8&zone0=ARGS&id0=1011&var_name0=id, client: 192.168.15.20, server: _, request: "HEAD /?id=)union%27select HTTP/1.1", host: "192.168.15.187"

When I whitelist both IDs using ARGS as target:

BasicRule wl:1000,1011 "mz:$URL:/|ARGS";

The curl request works:

$ curl "http://192.168.15.187/?id=)union%27select" -I
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Sat, 19 Nov 2022 10:25:47 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 21 Sep 2022 13:21:27 GMT
Connection: keep-alive
ETag: "632b0fd7-264"
Accept-Ranges: bytes

But trying the same with ANY target won't work:

BasicRule wl:1000,1011 "mz:$URL:/|ANY";

2022/11/19 10:27:18 [error] 22181#22181: *28 NAXSI_FMT: ip=192.168.15.20&server=192.168.15.187&uri=/&config=block&rid=7176c84b68184d1f8e06bc48cb87c740&cscore0=$SQL&score0=8&zone0=ARGS&id0=1000&var_name0=id, client: 192.168.15.20, server: _, request: "HEAD /?id=)union%27select HTTP/1.1", host: "192.168.15.187"

Can you confirm or is there something else which needs to be done?

wargio commented 2 years ago

i belive this is an issue with the $URL: filter and URL matchzone. you can't have both.

Napsty commented 2 years ago

Do you have an example how to get to use the ANY match zone?

wargio commented 2 years ago

Can you test the open PR and check if it fixes the issue?

Napsty commented 2 years ago

Sorry, did not find time to do this yet.

wargio commented 2 years ago

it's ok, i have added a test for this.

Napsty commented 2 years ago

Re-compiled the module with the current version of the main branch. Yes, it's working now!

WL Rule:

BasicRule wl:1000,1011,1013 "mz:$URL:/|ANY";

Request:

$ curl "http://192.168.15.187/?id=)union%27select" -I
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Mon, 21 Nov 2022 12:53:23 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 21 Sep 2022 13:21:27 GMT
Connection: keep-alive
ETag: "632b0fd7-264"
Accept-Ranges: bytes

Thanks!