wargio / naxsi Goto Github PK

Hello,

The debian package v1.6 for bookworm does not work with the default bookworm nginx package.
I've installed debian-bookworm-libnginx-mod-http-naxsi_1.6_amd64.deb and nginx-full ( nginx v1.22.1).

When starting nginx I get an error: 'dlopen() /usr/share/nginx/modules/ngx_http_naxsi_module.so" failed (/usr/share/nginx/modules/ngx_http_naxsi_module.so: undefined symbol: pcre_exec) in /etc/nginx/modules-enabled/50-mod-http-naxsi.conf:1

It's look like the package is build with the old pcre library and not pcre2, nginx v1.22 is built with pcre2.
The package dependency explicitly state the old pcre lib: https://github.com/wargio/naxsi/blob/f74611640b76a798cdedcc3fa1147b69eaac969f/distros/deb/control.install#L5C1-L5C83

It looks like naxsi support PCRE2: https://github.com/wargio/naxsi/blob/f74611640b76a798cdedcc3fa1147b69eaac969f/naxsi_src/naxsi_runtime.c#L99C14-L99C14

Shouldn't the bookworm package be compiled with the pcre2 library?

Thanks

I have several systems developed with aspx.net and naxsi is blocking me a lot:

NAXSI_FMT: ip=208.96.135.x&server=app.domain.com&uri=/Solicitud/Solicitar.aspx&config=block&rid=38507c49cfc158851449c822ac16226b&cscore0=$UPLOAD&score0=8&zone0=FILE_EXT&id0=1501&var_name0=ctl00%24ContentPlaceHolder1%24FileUpload

2023/09/18 12:16:07 [error] 77012#77012: NAXSI_FMT: ip=104.28.145.x&server=app2.domain.com&uri=/Empresa/11Documentos.aspx&config=block&rid=0fea665b14581102c716b66028155b29&cscore0=$UPLOAD&score0=8&zone0=FILE_EXT&id0=1501&var_name0=ctl00%24ContentPlaceHolder1%24FileUpload

For example, add these like this, but I'm not sure it works at all, and I may have to add other urls again.

BasicRule wl:1501 "mz:$URL:/Solicitud/Solicitar.aspx|FILE_EXT";
BasicRule wl:1501 "mz:$URL:/SiGAT/Planes.aspx|FILE_EXT";
BasicRule wl:1501 "mz:$URL:/Solicitudes/wfSolicitud.aspx|FILE_EXT";
BasicRule wl:1501 "mz:$URL:/Empresa/11Documentos.aspx|FILE_EXT";

any idea?

Hi Sir,

i try to whitelist this error :

2022/12/22 00:18:19 [error] 867012#0: *4083 NAXSI_FMT: ip=139.5.149.90&server=xxxx.com&uri=/community/account/index/comm_id/DEBITCARD1671642332PKMG4&vers=1.4&total_processed=187&total_blocked=2&config=learning&cscore0=$SQL&score0=16&zone0=BODY&id0=1015&var_name0=tx_fee_008_scash_idr&zone1=BODY&id1=1015&var_name1=seller_fee_008_scash_idr&zone2=BODY&id2=1015&var_name2=buyer_fee_008_scash_idr&zone3=BODY&id3=1015&var_name3=mitra_fee_008_scash_idr, client: xx.x.xx.90, server: xxxx.com, request: "POST /community/account/index/comm_id/DEBITCARD1671642332PKMG4 HTTP/1.1", host: "xxxx.com", referrer: "https://xxxx.com/"

and i got this rule :

BasicRule wl:1000 "mz:$URL:/community/new/index/scheme_id/DEBITCARD1671642332PKMG4|$BODY_VAR:comm_auto_insert_customer|NAME";
# total_count:3 (0.1%), peer_count:1 (100.0%) | sql keywords
BasicRule wl:1000 "mz:$URL:/community/new/index/scheme_id/DEBITCARD1671639507L6ILR|$BODY_VAR:blk_selected_ccy|NAME";

how to allow or bypasss naxsi only for that url sir ?
https://xxxx.com/community/new/index/scheme_id/

please advice,

thanks and regards

cc1: warnings being treated as errors
/opt/nginx_inst/naxsi-1.4/naxsi_src/naxsi_runtime.c: In function ‘ngx_http_naxsi_is_rule_whitelisted_n’:
/opt/nginx_inst/naxsi-1.4/naxsi_src/naxsi_runtime.c:798: warning: missing initializer
/opt/nginx_inst/naxsi-1.4/naxsi_src/naxsi_runtime.c:798: warning: (near initialization for ‘tmp_hashname.data’)
make[1]: *** [objs/addon/naxsi_src/naxsi_runtime.o] Error 1

Hi,

Same question as here.
If this is the better-maintained fork, please tag a release version to reflect the changes. The last release tag was 2 years ago.

Thanks for having added the ANY match zone, which can be combined with either mz:$URL: or mz:$URL_X: according to 5c93369#diff-c255b088a4dee2f1282d1dccd609ed178431d1fa74815571342c6be2cde11cbcR196

However I'm having troubles getting this to work.

WL rule:

BasicRule wl:1000 "mz:$URL:/|ANY";

Request:

$ curl "http://192.168.15.187/?id=)union%27select" -I
HTTP/1.1 418 
Server: nginx/1.18.0
Date: Sat, 19 Nov 2022 10:20:33 GMT
Content-Length: 0
Connection: keep-alive

Error log:

2022/11/19 10:20:33 [error] 22103#22103: *25 NAXSI_FMT: ip=192.168.15.20&server=192.168.15.187&uri=/&config=block&rid=b35f05072a781c60fc5356db4b272717&cscore0=$SQL&score0=8&zone0=ARGS&id0=1000&var_name0=id, client: 192.168.15.20, server: _, request: "HEAD /?id=)union%27select HTTP/1.1", host: "192.168.15.187"

If I change the WL rule to the following (using ARGS instead of ANY):

BasicRule wl:1000 "mz:$URL:/|ARGS";

When I launch the same curl request, the id 1000 is not blocked anymore (naxsi now blocks an additional ID 1011).

2022/11/19 10:23:40 [error] 22129#22129: *26 NAXSI_FMT: ip=192.168.15.20&server=192.168.15.187&uri=/&config=block&rid=056a1eb34e5d61c0917d1f869074ef41&cscore0=$SQL&score0=4&cscore1=$XSS&score1=8&zone0=ARGS&id0=1011&var_name0=id, client: 192.168.15.20, server: _, request: "HEAD /?id=)union%27select HTTP/1.1", host: "192.168.15.187"

When I whitelist both IDs using ARGS as target:

BasicRule wl:1000,1011 "mz:$URL:/|ARGS";

The curl request works:

$ curl "http://192.168.15.187/?id=)union%27select" -I
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Sat, 19 Nov 2022 10:25:47 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 21 Sep 2022 13:21:27 GMT
Connection: keep-alive
ETag: "632b0fd7-264"
Accept-Ranges: bytes

But trying the same with ANY target won't work:

BasicRule wl:1000,1011 "mz:$URL:/|ANY";

2022/11/19 10:27:18 [error] 22181#22181: *28 NAXSI_FMT: ip=192.168.15.20&server=192.168.15.187&uri=/&config=block&rid=7176c84b68184d1f8e06bc48cb87c740&cscore0=$SQL&score0=8&zone0=ARGS&id0=1000&var_name0=id, client: 192.168.15.20, server: _, request: "HEAD /?id=)union%27select HTTP/1.1", host: "192.168.15.187"

Can you confirm or is there something else which needs to be done?

Details

• NGINX version: 1.24
• NAXSI version: 1.6
• Operating System: ubuntu 22

Nginx Logs

 + ngx_http_lua_module was configured
adding module in ../ngx_devel_kit-master
 + ngx_devel_kit was configured
configuring additional dynamic modules
adding module in ../naxsi-1.6/naxsi_src
./configure: 27: ../naxsi-1.6/naxsi_src/config: pkg-config: not found
./configure: 28: ../naxsi-1.6/naxsi_src/config: pkg-config: not found
Cannot find 'libinjection' submodule.

Issue Description:
I have been experiencing issues with certain regex patterns not matching expected inputs when used within NAXSI rules. Despite the regex patterns functioning correctly in standard PCRE testing environments (e.g., regex101.com), these patterns do not seem to work when deployed in the NAXSI environment. This discrepancy occurs even with simplified and confirmed regex expressions.

Details:
Here are some examples of regex patterns that are not matching as expected:

Pattern for Matching Windows Drive Paths:
Regex: (?i)([c-h])(\:|%3a)(\\|\/|%2f|%5c)+
Expected to match: C://, D:\, etc.
Issue: Fails to match multiple slashes following the colon, even with simplified forms.

General Observations:

• Regex patterns including URL-encoded characters and multiple slashes/backslashes seem particularly prone to failing.
• Adjustments to simplify the regex or explicitly handle multiple characters do not resolve the issue.

Steps to Reproduce:

1. Implement the following main rule in NAXSI:

MainRule "rx:(?i)([c-h])(:|%3a)(\|/|%2f|%5c)+" "msg:Windows drive path detected" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TEST:8" id:3000;

2. Send requests with URLs containing C://, D:\, etc.

Expected Behavior:
The regex should match any valid Windows drive path format, including paths with multiple slashes or URL-encoded slashes/backslashes.

Actual Behavior:
The regex fails to trigger on inputs that include multiple slashes or certain encoded forms, despite these being valid as per PCRE standards and confirmed via external regex testing tools.

Additional Information:
For contrast, the following regex patterns exhibit different behaviors:

• (?i)(\\|\/|%2f|%5c)+(etc)+\b(\\|\/|%2f|%5c)+\b(passwd|shadow|issue|group|hosts|motd) matches in regex101.com but does not match in NAXSI.
• (?i)(\\/|%2f|%5c)+etc(\\/|%2f|%5c)+(passwd|shadow|issue|group|hosts|motd) does not match in regex101.com but successfully matches in NAXSI.

This inconsistency suggests there might be specific handling differences of regex components or patterns within NAXSI compared to standard PCRE environments.

Request:
I would appreciate any guidance on why these regex patterns might not be functioning as expected within NAXSI, or if there are specific considerations or limitations within NAXSI’s regex engine that I might be missing. Suggestions for adjustments or confirmations on potential bugs would also be highly valued.

I'm looking to install this module for openresty. I was curious if this project will ever build for the openresty package manager opm.

I see the archived version of naxsi is listed in a list of opm packages here: https://github.com/bungle/awesome-resty#third-party-nginx-modules

but I can't find any installation candidates today

$ opm search naxsi
ERROR: failed to search on server: status 404: no search result found.

This would be useful to me since I'm trying to install on top of the docker-openresty "bullseye" version which uses their .deb installation instead of compiling at build time.

https://github.com/openresty/docker-openresty/blob/master/bullseye/Dockerfile

This means I don't have a hook as far as I can tell to download the tar file from the releases page and add it as a compilation flag.

If this project was built for OPM then I would be able to do something more like their example here: https://github.com/openresty/docker-openresty/blob/master/buster/Dockerfile.opm_example

This is an idea for a possible feature that can be added to NAXSI. When request body contains HTML, currently it is possible to check it with regexes using rx rules or check it for XSS with Libinjection. The latter will tokenize HTML and will apply the heuristics and tags/attributes blacklists. This Libinjection XSS check appeared to be a bit too coarse - the blacklists of tags and attributes are hardcoded and heuristics is quite basic.

The idea is to allow to specify the blacklist/whitelist for tags and attributes in Nginx config file. Then to use HTML5 tokenization to iterate over the tags/attributes, apply configured blacklist/whitelist to them and record the results into $LIBINJECTION_HTML5 variable (analogous to $LIBINJENCTION_XSS one):

    h5_state_t h5;
    libinjection_h5_init(&h5, s, len, (enum html5_flags) flags);
    while (libinjection_h5_next(&h5)) {
        if (h5.token_type == TAG_NAME_OPEN) {
            if (is_black_tag(h5.token_start, h5.token_len)) {
                // increment $LIBINJECTION_HTML5 here;
            }
        } else if (h5.token_type == ATTR_NAME) {
        [...]

When h5.token_type is DATA_TEXT, it can contain unparsed HTML passed inside the outer XML, example:

    <?xml version="1.0" encoding="UTF-8"?>
    <items>
      <item>
        <description>
          <![CDATA[Foo Bar Description<div id="a"><p><iframe src="javascript&#58;alert('Hello XSS')">]]>
        </description>
        <id><![CDATA[944ba0f3-bd5d-4b11-8cb9-31c4f3691bed]]></id>
      </item>
    </items>

In this case the whole string Foo Bar Description<div id="a"><p><iframe src="javascript&#58;alert('Hello XSS')"> is treated as a DATA_TEXT token. The idea is to check such tokens for < symbol and to apply the HTML tokenization and filtering to them recursively while < symbol is there.

Such feature should be relatively straightforward to implement and may be useful for more fine tuned XSS detection.

Note, my employer does not have the dev budget for this task (if they would have had any budget - they would just have used some managed cloud WAF instead of Naxsi), so if I proceed with the implementation it can take a few weeks. Though, if implemented, such feature will be used in production, currently the subpar version of the above logic is implemented inside the target web app.

After enabling the naxsi module, in certain cases, the communication IP remains in CLOSE_WAIT state without being released. This issue occurs in the new version of nginx, and it is suspected to be a compatibility problem.

netstat -tunp|grep nginx|grep CLOSE_WAIT|wc -l
40108

Hello,

Im getting an error previously seen under: nbs-system/naxsi#593

I managed to get naxsi running on nginx 1.21.4 fine (pre pcre2) as i couldn't get it to work on any newer version of nginx. I noticed under nbs-system/naxsi#618 that some merges have been reuploaded however i can't get this to work on nginx 1.23.1. Just to confirm naxsi_core.rules is included within the http context, and naxsi_rules is under location in nginx.conf.

Compiled Nginx from source with Naxsi bundled in (error message occurs when starting nginx) and logs aren't providing any more detail.

can you provide me the full detail installation guide. im getting error while im installing the naxsi

Hi, I’m encountering an error when I try to start Nginx. The error message indicates that there’s an incorrect line in naxsi_core.rules. Could this be a compatibility issue?

Here’s the error message I’m seeing:

nginx: [emerg] Naxsi-Config : Incorrect line MainRule rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop|load_file|substr|group_concat|dumpfile (/etc/naxsi/naxsi_src//naxsi_skeleton.c/973)... in /etc/nginx/naxsi_core.rules:23

I’m currently using Nginx version 1.22.1.

Hi
Currently running SWAG and implemented with naxsi but using https://github.com/nbs-system/naxsi
and wanted to use your version as it seems that your updating constantly
and my second question is that once i activate crowdsec it seems that NAXSI stops working which i dont understand why

1. this is my docker file

FROM lscr.io/linuxserver/swag:latest
RUN apk add --upgrade nginx-mod-http-naxsi
RUN apk add vim
RUN apk add --no-cache python2
ADD ./nxutil/ /opt/nxutil/
RUN cd /opt/nxutil/ && python setup.py install

and this is my docker compose

version: "2.1"
services:
  swag:
    build: .
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/Bogota
      - URL=domain.co
      - SUBDOMAINS=admin
      - VALIDATION=http
      - MAXMINDDB_LICENSE_KEY=Wde5xxxxx
      - DOCKER_MODS=linuxserver/mods:swag-maxmind|linuxserver/mods:swag-dashboard|linuxserver/mods:swag-crowdsec
      - CROWDSEC_API_KEY=70f1xxxx
      - CROWDSEC_LAPI_URL=http://192.168.160.6:8080
      - ONLY_SUBDOMAINS=true
    networks:
      -  lsio
    volumes:
      - /swag:/config
    ports:
      - 443:443
      - 80:80
      - 81:81
    restart: unless-stopped

  crowdsec:
     container_name: crowdsec
     image: crowdsecurity/crowdsec:latest
     restart: unless-stopped
     depends_on:
       - swag
     networks:
       -  lsio
     environment:
       - COLLECTIONS=crowdsecurity/nginx
       - GID=1000
     volumes:
       -  /swag/log/nginx:/var/log/nginx
       - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
       - ./crowdsec/crowdsec-db:/var/lib/crowdsec/data/
       - ./crowdsec/crowdsec-config:/etc/crowdsec/
     security_opt:
      - no-new-privileges=true

networks:
  lsio:
   name: lsio

before when i run domain.co/q?="><script>alert(1)</script>

i got the alert but after installing crowdsec does not show any alerts

Thank you

Good afternoon,

I set up NAXSI on port 80 and a vulnerable web application on port 3000 (Reverse proxy). Whenever I try an sql injection on port 80 it is being blocked successfully, however when done on port 3000, it is not. Which configuration needs to be changed please in order for it to work on either 2 ports simultaneously or only port 3000.

configuring additional dynamic modules
adding module in ../naxsi_src/
Package libinjection was not found in the pkg-config search path.
Perhaps you should add the directory containing libinjection.pc' to the PKG_CONFIG_PATH environment variable No package 'libinjection' found Package libinjection was not found in the pkg-config search path. Perhaps you should add the directory containing libinjection.pc'
to the PKG_CONFIG_PATH environment variable
No package 'libinjection' found
Using submodule libinjection

In the Naxsi config I added a IgnoreCIDR "192.168.0.0/16" but requests from within that range are blocked:

2022/11/05 15:22:06 [error] 23853#23853: *1364 NAXSI_FMT: ip=192.168.12.126&server=app.example.com&uri=/rest/gadgets/1.0/g/messagebundle/en_UK/gadget.common,gadget.issuetable,gadget.assignedtome,gadget.issuetable.common&vers=1.4&total_processed=584&total_blocked=20&config=ignore&cscore0=$SQL&score0=8&zone0=URL&id0=1000&var_name0=, client: 192.168.12.126, server: app.example.com, request: "GET /rest/gadgets/1.0/g/messagebundle/en_UK/gadget.common%2Cgadget.issuetable%2Cgadget.assignedtome%2Cgadget.issuetable.common HTTP/1.0", host: "app.example.com"

This seems to only happen since I rebuilt the naxsi module from this repo. With the 1.3 release from nbs I haven't seen any blocks on the range defined in IgnoreCIDR. Can you confirm?

After python tests conversion there is an intermittent failure observed on Linux:

======================================================================
ERROR: test_26 (test_00naxsi_base.naxsi_base)
TEST 26: Testing MULTIPART POSTs (BAD CONTENT LEN)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/runner/work/naxsi/naxsi/unit-tests/python/test_00naxsi_base.py", line 804, in test_26
    ec = nr.request(
  File "/home/runner/work/naxsi/naxsi/unit-tests/python/_test_utils.py", line 289, in request
    status, _, body = send_request(self.port, url, method, headers, data)
  File "/home/runner/work/naxsi/naxsi/unit-tests/python/_test_utils.py", line 210, in send_request
    return send_raw_request(port, req_bytes)
  File "/home/runner/work/naxsi/naxsi/unit-tests/python/_test_utils.py", line 218, in send_raw_request
    status, headers, body = read_response(sock)
  File "/home/runner/work/naxsi/naxsi/unit-tests/python/_test_utils.py", line 186, in read_response
    raise NaxsiTestException("Body read failed, read: [{}]".format(buf[:write_pos]))
_test_utils.NaxsiTestException: Body read failed, read: [bytearray(b'HTTP/1.1 412 Precondition Failed\r\nServer: nginx/1.16.1\r\nDate: Wed, 02 Nov 2022 20:54:57 GMT\r\nContent-Type: text/html\r\nContent-Length: 173\r\nConnection: keep-alive\r\n\r\n<html>\r\n<head><title>412 Precondition Failed</title></head>\r\n<body>\r\n<center><h1>412 Precondition Failed</h1></center>\r\n<hr><center>nginx/1.16.1</center>\r\n</body>\r\n</html>\r\nHTTP/1.1 400 Bad Request\r\nServer: nginx/1.16.1\r\nDate: Wed, 02 Nov 2022 20:54:57 GMT\r\nContent-Type: text/html\r\nContent-Length: 157\r\nConnection: close\r\n\r\n<html>\r\n<head><title>400 Bad Request</title></head>\r\n<body>\r\n<center><h1>400 Bad Request</h1></center>\r\n<hr><center>nginx/1.16.1</center>\r\n</body>\r\n</html>\r\n')]

----------------------------------------------------------------------

I've never seen it in local Linux runs, but apparently it happens sometimes on CI. Root cause is currently not clear (possibly off-by-1 error in body read code in test HTTP client), intend to investigate it to have clean test runs. The problem is highly unlikely to be related to any real problem with Naxsi/Nginx.

i am get https://github.com/libinjection/libinjection/tree/51f3a96e9fcc90a6112f52ac96fd4661e7ab0a44 but, dont work...

this is part of log.

    -o objs/addon/libinjection_ngxbuild/libinjection_sqli.o \
    /home/ubuntu/naxsi-1.4/naxsi_src/libinjection_ngxbuild/libinjection_sqli.c

/home/ubuntu/naxsi-1.4/naxsi_src/libinjection_ngxbuild/libinjection_sqli.c: In function ‘libinjection_version’:
/home/ubuntu/naxsi-1.4/naxsi_src/libinjection_ngxbuild/libinjection_sqli.c:1214:12: error: ‘LIBINJECTION_VERSION’ undeclared (first use in this function); did you mean ‘LIBINJECTION_SQLI_H’?
1214 | return LIBINJECTION_VERSION;
| ^~~~~~~~~~~~~~~~~~~~
| LIBINJECTION_SQLI_H
/home/ubuntu/naxsi-1.4/naxsi_src/libinjection_ngxbuild/libinjection_sqli.c:1214:12: note: each undeclared identifier is reported only once for each function it appears in
/home/ubuntu/naxsi-1.4/naxsi_src/libinjection_ngxbuild/libinjection_sqli.c:1215:1: error: control reaches end of non-void function [-Werror=return-type]
1215 | }
| ^

whitelist-examples.md mentions zoom-fileext.md: [FILE_EXT](zoom-fileext)

But nor zoom-fileext.md neither fileext.md exist.

Hello @mremande

You've marked naxsi/issues/321 as completed. Could you point out which new directives allow to filter unknown variables and headers?

Hi @wargio

Naxsi works correctly on my machine and I want to follow the next step for the use of nxtool.
I have successfully installed elasticsearch and kibana on my machine.

I was trying to run command
./nxtool.py -x --colors -c nxapi.json

But I have below error

Traceback (most recent call last):
  File "./nxtool.py", line 20, in <module>
    import elasticsearch
ImportError: No module named elasticsearch

So I installed elasticsearch module using below command.
pip3 install elasticsearch

It seems to install the module successfully, but the same error still occurs.
So I refer the link resolve python module elastic

Then use the below command:
export PYTHONPATH=/usr/local/lib/python3.6/site-packages

But below error occurs and I stopped working.

[root@nxapi]# ./nxtool.py -c nxapi.json --files=/var/log/nxtool.log
Traceback (most recent call last):
  File "./nxtool.py", line 20, in <module>
    import elasticsearch
  File "/usr/local/lib/python3.6/site-packages/elasticsearch/__init__.py", line 24, in <module>
    from elastic_transport import __version__ as _elastic_transport_version
  File "/usr/local/lib/python3.6/site-packages/elastic_transport/__init__.py", line 106
    def debug_logging() -> None:
                        ^
SyntaxError: invalid syntax

Can you please help me?

Hi,
I just did a fresh install of Nginx with naxsi in a docker container image based on Debian. I'm able to build the image but as soon as I run the container it exits with the message nginx: [emerg] unknown directive "MainRule" in /etc/nginx/naxsi_core.rules:22. The version of Nginx that I'm using is 1.23.2 and using the current master branch for the naxsi.

Hi wargio , sorry to open a thread about this, but I see an addition in the github about separating the naxsi logs, do you have any example how to do it inside the naxsi/nginx settings .

Hello, appreciate that you are continuing naxsi in this fork.
I'm currently using Naxsi WAF built from the master branch from https://github.com/nbs-system/naxsi (cloned September 21st).

I wanted to whitelist the rule 1000 on all URLs starting with /rest, however I still see blocked requests.

Whitelist rule:

BasicRule wl:1000 "mz:$URL_X:^/rest/.*$|URL"; # allow sql keywords on /rest

Block example:

2022/11/04 13:42:44 [error] 1757#1757: *1615318 NAXSI_FMT: ip=xx.xx.xx.xx&server=app.example.com&uri=/rest/webResources/1.0/resources&vers=1.3&total_processed=2872&total_blocked=308&config=block&cscore0=$SQL&score0=8&zone0=BODY&id0=1000&var_name0=xr&zone1=BODY&id1=1000&var_name1=xr, client: xx.xx.xx.xx, server: app.example.com, request: "POST /rest/webResources/1.0/resources HTTP/1.0", host: "app.example.com", referrer: "https://app.example.com/projects/GEN/summary/statistics"

Am I doing something wrong?

Hi wargio, just a clarification, is this json support that you added to be able to extract the log in this format? Do you have any example of how it would appear in the log?.

regards...

Hi
I was wondering how i could use your repo in my docker file?

Currently i have this on my docker file which im using the old naxsi

FROM lscr.io/linuxserver/swag:latest
RUN apk update
RUN apk add --upgrade nginx-mod-http-naxsi

Thank you

What is the highest version of NGINX that naxsi-1.3 can support? I tried to install naxsi on NGINX-1.22 reporting version error
The error is as follows：
[emerg] 10#10: module "/usr/share/nginx/modules/ngx_http_naxsi_module.so" version 1018000 instead of 1022001 in /etc/nginx/modules-enabled/50-mod-http-naxsi.conf:1

https://bugs.freebsd.org/bugzilla/attachment.cgi?id=243034&action=diff

There is somewhat of an issue with .tar.gz in releases in that it requires to download libinjection manually.
I understand the convenience of using git submodules during development, but it is a big inconvenience to the end users.

Good afternoon, I hope you are well. I am a final year student currently studying for my Bachelor's degree in Computing and Business and for my thesis I was aiming to create and use a virtual testing environment using Oracle VirtualBox to be able to host various web applications extracted from OWASP Juice shop. The locally hosted testing environment will be made available on the internet and be given a domain from GoDaddy. Furthermore, the testing environment will be exposed to several predefined attacks using Kali Linux, which include but are not limited to SQL Injection, DoS attacks and broken authentication. These attacks will be launched against three different web application firewalls, Cloudflare, Azure WAF and NAXSI. Hence, in total there will be 3 domains which will be public, one for each. Kindly note that the virtual machines will be hosted locally on my laptop. Would this be allowed please since it is for educational purposes and hosted locally?

    It would be cool if you could add such a feature. Some paths might be exposed to public where security is more important while some paths are behind authentication or other access restrictions and might require less protection.

Originally posted by @Napsty in #44 (comment)

There is an intermittent test failure, that happens in about 1 in 10 test runs and can be reproduced only on Windows:

======================================================================
FAIL: test_1_5 (test_34ignorecidr.ignorecidr)
TEST 1.5: Verify IgnoreCIDR x.x.x.x./32 is converted to IgnoreIP
----------------------------------------------------------------------
Traceback (most recent call last):
  File "D:\a\naxsi\naxsi\unit-tests\python\test_34ignorecidr.py", line 196, in test_1_5
    self.assertEqual(ec, 200)
AssertionError: 412 != 200

----------------------------------------------------------------------

It may or may not be related to a real Windows-specific problem in IP conversion area, I intend to investigate it.

Probably more a question (once again) and probably not a bug. But I have this whitelist entry, covering multiple rules on a certain URI:

BasicRule wl:1000,1008-1011,1200,1205 "mz:$URL:/secure/AssignIssue!default.jspa|BODY";
BasicRule wl:1000,1008-1011,1200,1205 "mz:$URL:/secure/AssignIssue!default.jspa|BODY|NAME";
BasicRule wl:1000,1008-1011,1200,1205 "mz:$URL:/secure/AssignIssue!default.jspa|ARGS|NAME";

Yet there were still some blocks happening, here's the nx_util output:

# total_count:4 (12.9%), peer_count:1 (50.0%) | sql keywords
BasicRule wl:1000 "mz:$URL:/secure/AssignIssue!default.jspa|$ARGS_VAR:returnurl";

I thought that $ARGS_VAR is covered by ARGS|NAME? Or am I mistken?

i still got the error :
[emerg] module "/usr/local/src/nginx-source/objs/ngx_http_naxsi_module.so" version 1022000 instead of 1018000 in /etc/nginx/nginx.conf:5
I think because I'm using nginx 1.18 and naxsi for nginx 1.22 from this command
wget --no-clobber -O nginx.tar.gz "https://nginx.org/download/nginx-1.22.0.tar.gz"

and then i tried this command for installing the 1.18 nginx version
-wget --no-clobber -O nginx.tar.gz "https://nginx.org/download/nginx-1.18.0.tar.gz"
but i still getting this error :
[emerg] 10300#10300: module "/usr/local/src/nginx-source/objs/ngx_http_naxsi_module.so" is not binary compatible in /etc/nginx/nginx.conf:5

can u help me?

BSDs have a hook to the packet filter called blacklistd and it would be nice to be able to call that for block requests.

I'm thinking the implementation can be simple, a flag SecRulesBlacklistd On|Off; which enables|disables calls to blacklistd on any block action.

An example of adding blacklistd support to postfix can be found here: NetBSD/src@3ae4028

Reference to blacklistd https://www.freebsd.org/doc/handbook/firewalls-blacklistd.html

Hello,

I'm using ppa:ondrej/nginx-mainline with version nginx/1.23.1. When I load the module ngx_http_naxsi_module.so into nginx.conf, I suddenly get an error below:

nginx: [emerg] dlopen() "/usr/share/nginx/modules/ngx_http_naxsi_module.so" failed (/usr/share/nginx/modules/ngx_http_naxsi_module.so: undefined symbol: pcre2_get_ovector_count_8) in /etc/nginx/nginx.conf:10
nginx: configuration file /etc/nginx/nginx.conf test failed

OS: Ubuntu 22.04
Nginx: nginx/1.23.1
Naxsi: wargio/naxsi on branch master

Can I know what's exactly wrong?

Thanks

UPDATE
I built the module with Nginx from apt source nginx instead of downloading it from the Nginx homepage

When I compile the code i get error

make[1]: Entering directory `/home/lubomudr/nginx'
cc -c -fPIC -pipe  -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -std=c99 -I src/core -I src/event -I src/event/modules -I src/os/unix -I ../naxsi/naxsi_src/ -I ../openssl-1.1.1/.openssl/include -I objs -I src/http -I src/http/modules -I src/http/v2 -I src/mail -I src/stream \
        -o objs/addon/naxsi_src/naxsi_net.o \
        ../naxsi/naxsi_src/naxsi_net.c
../naxsi/naxsi_src/naxsi_net.c: In function 'naxsi_parse_cidr':
../naxsi/naxsi_src/naxsi_net.c:93:3: error: missing braces around initializer [-Werror=missing-braces]
   ip_t   ip       = { 0 };
   ^
../naxsi/naxsi_src/naxsi_net.c:93:3: error: (near initialization for 'ip.u') [-Werror=missing-braces]
../naxsi/naxsi_src/naxsi_net.c:93:3: error: missing initializer for field 'version' of 'ip_t' [-Werror=missing-field-initializers]
In file included from ../naxsi/naxsi_src/naxsi.h:17:0,
                 from ../naxsi/naxsi_src/naxsi_net.c:7:
../naxsi/naxsi_src/naxsi_net.h:44:12: note: 'version' declared here
   uint32_t version;
            ^
cc1: all warnings being treated as errors
make[1]: *** [objs/addon/naxsi_src/naxsi_net.o] Error 1
make[1]: Leaving directory `/home/lubomudr/nginx'
make: *** [build] Error 2

gcc version 4.8.5 20150623 (Red Hat 4.8.5-44)

to fix, can leave the values ​​uninitialized or initialize a known member

diff --git a/naxsi_src/naxsi_net.c b/naxsi_src/naxsi_net.c
index d7da800..1d16a18 100644
--- a/naxsi_src/naxsi_net.c
+++ b/naxsi_src/naxsi_net.c
@@ -90,7 +90,7 @@ naxsi_parse_cidr(const ngx_str_t* nx_cidr, cidr_t* cidr)
     return (CIDR_ERROR_MISSING_MASK);
   }
 
-  ip_t   ip       = { 0 };
+  ip_t   ip       = { .version = 0 };
   size_t orig_len = copy.len;
 
   copy.len = smask - (const char*)copy.data;
diff --git a/naxsi_src/naxsi_runtime.c b/naxsi_src/naxsi_runtime.c
index ffd445b..2e3fcda 100644
--- a/naxsi_src/naxsi_runtime.c
+++ b/naxsi_src/naxsi_runtime.c
@@ -573,7 +573,7 @@ naxsi_can_ignore_cidr(const ngx_str_t* ipstr, ngx_http_naxsi_loc_conf_t* cf)
     return 0;
   }
   ngx_uint_t i;
-  ip_t       ip = { 0 };
+  ip_t       ip = { .version = 0 };
   if (!naxsi_parse_ip(ipstr, &ip, NULL)) {
     return 0;
   }
diff --git a/naxsi_src/naxsi_skeleton.c b/naxsi_src/naxsi_skeleton.c
index 03c93c0..e1bda34 100644
--- a/naxsi_src/naxsi_skeleton.c
+++ b/naxsi_src/naxsi_skeleton.c
@@ -858,7 +858,7 @@ ngx_http_naxsi_read_conf(ngx_conf_t* cf, ngx_command_t* cmd, void* conf)
       return (NGX_CONF_OK); /* LCOV_EXCL_LINE */
     }
 
-    cidr_t cidr = { 0 };
+    cidr_t cidr = { .mask.version = 0 };
     int    err  = naxsi_parse_cidr(&value[1], &cidr);
     switch (err) {
       case CIDR_OK:

I would like to know the compatible versions of nginx and naxsi.

Hi, there

I tried to test naxsi with below command.
curl 'http://127.0.0.1:8080/?a=<>'

Then I could see logs in the log file.
2024/03/20 14:18:39 [error] 29706#0: *1 NAXSI_FMT: ip=127.0.0.1&server=127.0.0.1&uri=/&config=block&rid=c65265b0abb646c1cd1264c4ec1c43db&cscore0=$XSS&score0=8&zone0=ARGS&id0=1302&var_name0=a, client: 127.0.0.1, server: , request: "GET /?a=<> HTTP/1.1", host: "127.0.0.1:8080"

To ignore rule 1032, 1033, I added whitelist rule in nginx.conf file.

After restarting nginx, I expcted to see no error logs whilte using same command curl 'http://127.0.0.1:8080/?a=<>'

But there was still same error logs.

If I did something wrong, please tell me.

Thanks.

Hi wargio, in this latest version of naxsi - nginx is showing me this message:

nginx -t nginx: [emerg] cannot add hash value in /etc/nginx/wafnaxsi/whitelists/ip_naxsi_whitelist:1 nginx: configuration file /etc/nginx/nginx.conf test failed

I don't know if it is due to nginx or naxsi?

ip_naxsi_whitelist

IgnoreIP 186.77.204.111;
IgnoreIP 190.92.159.48;

any idea?

The latest changes on libinjection does not allow embedding.

libinjection/libinjection#31

For some reasons nginx or naxsi on the windows build does not decode correctly the bytes as we expect to see.

Logs:

2022-12-19T16:45:36.3777060Z rg: re.compile('^.*{\\"ip\\":\\"127\\.0\\.0\\.1\\",\\"server\\":\\"[a-z\\d.]+\\",\\"rid\\":\\"[a-f\\d]+\\",\\"uri\\":\\"\\/\\\\\\\\\\\\\\\\\\\\u00ff\\\\\\\\a\\",\\"id\\":20,\\"zone\\":\\"URL\\",\\"var_name\\":\\"\\")
2022-12-19T16:45:36.3777954Z fl:  2022/12/19 16:45:16 [error] 3516#6832: *1 {"ip":"127.0.0.1","server":"127.0.0.1","rid":"0c0f0000c5620000323a000091190000","uri":"/\u00ff/a","id":20,"zone":"URL","var_name":"","content":""}, client: 127.0.0.1, server: localhost, request: "GET /%5C%5C%ff%5Ca?b=<>%5C%5C HTTP/1.1", host: "127.0.0.1:8080"
2022-12-19T16:45:36.3778398Z 
2022-12-19T16:45:36.3778808Z fl:  2022/12/19 16:45:16 [error] 3516#6832: *1 {"ip":"127.0.0.1","server":"127.0.0.1","uri":"/%FF/a","config":"drop","rid":"0c0f0000c5620000323a000091190000","zone0":"URL","id0":"20","var_name0":""}, client: 127.0.0.1, server: localhost, request: "GET /%5C%5C%ff%5Ca?b=<>%5C%5C HTTP/1.1", host: "127.0.0.1:8080"

Reproducer test

=== TEST 1.9: JSON log + extended + FF byte
--- main_config
load_module $TEST_NGINX_NAXSI_MODULE_SO;
--- http_config
include $TEST_NGINX_NAXSI_RULES;
--- config
set $naxsi_json_log 1;
set $naxsi_extensive_log 1;
location / {
    SecRulesEnabled;
    DeniedUrl "/RequestDenied";
    CheckRule "$SQL >= 8" BLOCK;
    CheckRule "$RFI >= 8" BLOCK;
    CheckRule "$TRAVERSAL >= 4" BLOCK;
    CheckRule "$XSS >= 8" BLOCK;
    root $TEST_NGINX_SERVROOT/html/;
    index index.html index.htm;
}
location /RequestDenied {
     return 412;
    # return 412;
}
--- request eval
"GET /%5C%5C%ff%5Ca?b=<>%5C%5C"
--- error_code: 412
--- error_log eval
qr@{"ip":"127\.0\.0\.1","server":"[a-z\d.]+","rid":"[a-f\d]+","uri":"\/\\\\\\\\\\u00ff\\\\a","id":20,"zone":"URL","var_name":"","content":""}, client: 127\.0\.0\.1,@

Hi Sir, i follow the guide install nginx and naxsi on rhel 8, but i got issue

nginx: [emerg] Naxsi-Config : Incorrect line MainRule rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop|load_file|substr|group_concat|dumpfile (../naxsi-master/naxsi_src//naxsi_skeleton.c/973)... in /etc/nginx/naxsi_core.rules:23
nginx: configuration file /etc/nginx/nginx.conf test failed

nginx version: nginx/1.22.0
built by gcc 8.5.0 20210514 (Red Hat 8.5.0-10) (GCC)
built with OpenSSL 1.1.1k FIPS 25 Mar 2021
TLS SNI support enabled
configure arguments: --conf-path=/etc/nginx/nginx.conf --add-module=../naxsi-master/naxsi_src/ --error-log-path=/var/log/nginx /error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/v ar/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-tem p-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --user=nginx --group=nginx --with-d ebug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http _auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition _module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_modul e --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module -- prefix=/usr

could you help me please

thanks

Giovanni, first of all, thank you for maintaining a surviving version of naxsi.

Consider this more of a basic question than a potential new "issue".

I have a question about the configure command and its output. I built everything from source, including pcre and zlib. I've added the "--add-dynamic-module=../naxsi/naxsi_src" directive to my configure command. The output of ./configure... contains some confusing statements that I'd like to run by you.

First, note that I see quite clearly the naxsi_src/libinjection and /libinjection_ngxbuild directories in your source tree.

The confusion comes when, after complaining of not being able to find libinjection, I get a subsequent statement that the submodule libinjection was used, and that naxsi was configured.

In the output, I note that the script expects to find "libinjection.pc", but the actual filename within your subdir is "libinjection.pc.in". So I'm left in a quandary. Is the script complaining about not finding libinjection, but then later getting on with things and using the libinjection submodule that it eventually found in your tree? That is what it seems like, but I wanted to ask you about it before I commit to building libinjection itself from source.

output of configure command

... (omitted for brevity)
configuring additional dynamic modules
adding module in ../naxsi/naxsi_src
Package libinjection was not found in the pkg-config search path.
Perhaps you should add the directory containing `libinjection.pc'
to the PKG_CONFIG_PATH environment variable
No package 'libinjection' found
Package libinjection was not found in the pkg-config search path.
Perhaps you should add the directory containing `libinjection.pc'
to the PKG_CONFIG_PATH environment variable
No package 'libinjection' found
Using submodule libinjection
 + naxsi was configured  

... (omitted for brevity)
  

checking for sysconf(_SC_NPROCESSORS_ONLN) ... found
checking for sysconf(_SC_LEVEL1_DCACHE_LINESIZE) ... found
checking for openat(), fstatat() ... found
checking for getaddrinfo() ... found
configuring additional dynamic modules
adding module in ../naxsi/naxsi_src
Package libinjection was not found in the pkg-config search path.
Perhaps you should add the directory containing libinjection.pc' to the PKG_CONFIG_PATH environment variable No package 'libinjection' found Package libinjection was not found in the pkg-config search path. Perhaps you should add the directory containing libinjection.pc'
to the PKG_CONFIG_PATH environment variable
No package 'libinjection' found
Cannot find 'libinjection' submodule.

CentOS 6.8

Hi. i have next simple+default setup of NAXSI v1.6 like reverse proxy on ubuntu 22.04 LTS

cat /etc/nginx/sites-available/default

location / {
             include /etc/nginx/naxsi.rules;
             proxy_pass http://127.0.0.1:1234/;
}

location /RequestDenied {
             return 403;
}

cat /etc/nginx/nginx.conf

load_module modules/ngx_http_naxsi_module.so;

http {
        include /etc/nginx/naxsi_core.rules;
}

In naxsi.rules i set

SecRulesEnabled;
DeniedUrl "/RequestDenied";

CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
СheckRule "$UPLOAD >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;

i also try set $HEADERS. But NAXSI does not block malisious requests

Some example, i used wfuzz with payloads wordlist.
wfuzz -w wordlist.txt -f output_fuzz_2,csv -H "Referer: FUZZ" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36" -p 127.0.0.1:8081 http://192.168.0.67/test?param=1

GET / HTTP/1.1
Host: 192.168.0.67
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Referer: <script>alert(1)</script>
Connection: close

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 01 Mar 2024 22:04:20 GMT
Content-Type: text/html
Connection: close
Content-Length: 117
<html>

Filter does not work through all payloads in the header. Another example

GET /test?param=1 HTTP/1.1
Host: 192.168.0.67
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
Referer: &ltscript&gtalert(document.cookie);&ltscript&gtalert
Connection: close

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 01 Mar 2024 21:41:34 GMT
Content-Type: text/html
Connection: close
Content-Length: 129

But when using a payload in the URL or in the body, the filter is triggered

Hi, when I run make, I get response error below, please check for me, thank you.
Details

• NGINX version: 1.20.1
• NAXSI version: 1.6
• Did you install NAXSI from a package manager? NO. I get naxsi from https://github.com/wargio/naxsi/releases
• Operating System: CentOS 7 Linux

Nginx Logs

../naxsi/naxsi_src/naxsi_utils.c: In function ‘naxsi_is_illegal_host_name’:
../naxsi/naxsi_src/naxsi_utils.c:1170:3: error: ‘for’ loop initial declarations are only allowed in C99 mode
   for (size_t i = 1; i < plen; ++i) {
   ^
../naxsi/naxsi_src/naxsi_utils.c:1170:3: note: use option -std=c99 or -std=gnu99 to compile your code
../naxsi/naxsi_src/naxsi_utils.c:1196:15: error: redefinition of ‘i’
   for (size_t i = 0; i < n_cidrs; ++i) {
               ^
../naxsi/naxsi_src/naxsi_utils.c:1170:15: note: previous definition of ‘i’ was here
   for (size_t i = 1; i < plen; ++i) {
               ^
../naxsi/naxsi_src/naxsi_utils.c:1196:3: error: ‘for’ loop initial declarations are only allowed in C99 mode
   for (size_t i = 0; i < n_cidrs; ++i) {
   ^
../naxsi/naxsi_src/naxsi_utils.c: In function ‘naxsi_generate_request_id’:
../naxsi/naxsi_src/naxsi_utils.c:1219:3: error: ‘for’ loop initial declarations are only allowed in C99 mode
   for (size_t i = 0; i < len; i++) {
   ^
make[1]: *** [objs/addon/naxsi_src/naxsi_utils.o] Error 1