search

wargio / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
305 stars 38 forks source link

Bypass specific url specfic rule #67

Closed InvokerFury closed 1 year ago

InvokerFury commented 1 year ago

Hi Sir,

i try to whitelist this error :

2022/12/22 00:18:19 [error] 867012#0: *4083 NAXSI_FMT: ip=139.5.149.90&server=xxxx.com&uri=/community/account/index/comm_id/DEBITCARD1671642332PKMG4&vers=1.4&total_processed=187&total_blocked=2&config=learning&cscore0=$SQL&score0=16&zone0=BODY&id0=1015&var_name0=tx_fee_008_scash_idr&zone1=BODY&id1=1015&var_name1=seller_fee_008_scash_idr&zone2=BODY&id2=1015&var_name2=buyer_fee_008_scash_idr&zone3=BODY&id3=1015&var_name3=mitra_fee_008_scash_idr, client: xx.x.xx.90, server: xxxx.com, request: "POST /community/account/index/comm_id/DEBITCARD1671642332PKMG4 HTTP/1.1", host: "xxxx.com", referrer: "https://xxxx.com/"

and i got this rule : 

BasicRule wl:1000 "mz:$URL:/community/new/index/scheme_id/DEBITCARD1671642332PKMG4|$BODY_VAR:comm_auto_insert_customer|NAME";
# total_count:3 (0.1%), peer_count:1 (100.0%) | sql keywords
BasicRule wl:1000 "mz:$URL:/community/new/index/scheme_id/DEBITCARD1671639507L6ILR|$BODY_VAR:blk_selected_ccy|NAME";

how to allow or bypasss naxsi only for that url sir ? https://xxxx.com/community/new/index/scheme_id/

please advice,

thanks and regards

rickygm commented 1 year ago

try this way:

BasicRule wl:1015 "mz:BODY"; BasicRule wl:1015 "mz:$URL:/|BODY"; BasicRule wl:1015 "mz:$URL:/community/new/index/scheme_id|BODY|NAME";

InvokerFury commented 1 year ago

Hi Sir,

Thanks for your response, really appreciate it, i will try and inform you as soon as possible.

Thanks & Regards

On Thu, Dec 22, 2022, 2:41 AM rickygm @.***> wrote:

try this way:

BasicRule wl:1015 "mz:BODY"; BasicRule wl:1015 "mz:$URL:/|BODY"; BasicRule wl:1015 "mz:$URL:/community/new/index/scheme_id|BODY|NAME";

— Reply to this email directly, view it on GitHub https://github.com/wargio/naxsi/issues/67#issuecomment-1362010367, or unsubscribe https://github.com/notifications/unsubscribe-auth/AF3SB3Y5DYFGCMQCN34AI6DWONMP3ANCNFSM6AAAAAATF32CR4 . You are receiving this because you authored the thread.Message ID: @.***>

InvokerFury commented 1 year ago

Hi Sir,

its worked.. thanks.. really appreciate it.