Wednesday, August 28, 2013

Nginx Anti Xss & Sql Injection : NAXSI ( Open-Source WAF )

NAXSI ( Nginx Anti Xss & Sql Injection ) :
                                                             is an open source WAF ( Web Application Firewall ) , high performance, low rules maintenance, Web Application Firewall module for Nginx. 

  _   _                _ 
 | \ | | __ ___  _____(_)
 |  \| |/ _` \ \/ / __| |
 | |\  | (_| |>  <\__ \ |
 |_| \_|\__,_/_/\_\___/_|
                          goal is to help people to secure their web application against attacks 
such as SQL Injection, Cross Site Scripting, Cross Site Request Forgery, 
Local & Remote file inclusions and such. 
The difference with most WAF (Web Applicative Firewalls) out there is that 
it does not rely on signatures to detect attacks. It is using a simpler model, 
where instead of trying to detect "known" attacks, it will detect unexpected 
characters in the HTTP request/arguments. Each kind of unusual character will 
increase the score of the request. If the request reaches a score that's 
considered "too high", the request will be denied, and the user will be 
redirected to a "forbidden" page. Yes, it works a bit like a spam system. 

NAXSI Project:
                        The NAXSI Project is not so known like the ModSecurity open source project, but has a very interesting approach and features.
NAXSI uses the small and performant reverse proxy engine of Nginx web server instead of the full blown Apache engine used by ModSecurity (and from a security point of view: the lesser code).
Following are the major feature of NAXSI:
  • Protects from XSS, SQL injections, CSRF, file inclusion
  • Fast engine
  • Relative simple configuration
  • Check GET/POST requests
  • Check HTTP headers and cookies
  • Forbid dangerous symbols and SQL keywords
  • Allows whitelist approach configuration creating a web application baseline
  • Able to run in learn or production mode
  • Uses no signature of known attack


Let’s do a quick installation with ubuntu sever 12.04 LTS. You may also install it from the sources following the Nginx prerequisites for reference. After you’ve installed the basic server with openssh, install NAXSI with:
 sudo apt-get install nginx-naxsi

Initial configuration

In the nginx configuration file (/etc/nginx/nginx.conf) uncomment this line to activate the basic rulesets:
# nginx-naxsi config
# Uncomment it if you installed nginx-naxsi
include /etc/nginx/naxsi_core.rules;
Note that this file is not an attack signature repository but rather a “score rules” set. Let’s configure NAXSI for our website To do so edit the Nginx configuration file in /etc/nginx/sites-enabled/default and add following entries in the server context:

server {
        proxy_set_header Proxy-Connection “”;    
        listen   80;

        location / {
                # put your website IP here

                # put your website FQDN here
                proxy_set_header Host;

                # Uncomment to enable naxsi on this location
                include /etc/nginx/naxsi.rules;

        # Only for nginx-naxsi : process denied requests
        location /RequestDenied {
                # For example, return an HTTP error code
                return 418;
Now you should be able to start the nginx service that will bring up the NASXI with following command:

sudo service nginx start
Be sure to check for error messages on the console or in the error log found in /var/log/nginx/error.log and verify with sudo netstat -antup that nginx daemon is opening the configured port (tcp/80 in our case). The output should look like this:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address    Foreign Address   State       PID/Program name
tcp        0      0*         LISTEN      9865/nginx
tcp        0      0*         LISTEN      8484/sshd
tcp        0      0*         LISTEN      9627/0
tcp        0      0*         LISTEN      9062/1
tcp        0     32 x.y.z.52:22      x.y.z.36:49749    ESTABLISHED 9046/sshd: anco
udp        0      0*                     649/dhclient3

To test if it works, start a browser session and point it to the ip address of your test server (x.y.z.52:80) and you should see the website you configured ( in the config file above. To continue further testing make sure you will proxying all web request to the nginx-NAXSI WAF. To accomplish this you can ether use the web-proxy configuration setting in the browser or fake the testing website ip address in your system hostfile. I prefer to put the ip address in my hostfile:

Here are the location of the target hosts file (you need admin right to save changes):

OS Host Configuration File
Windows %SYSTEMROOT%\system32\drivers\etc\hosts
Linux /etc/hosts
Now we can browse to and be sure that our test NAXSI WAF will inspect the content and remember that by now the configuration is in learning mode; it will only report errors in the nginx error logs (/var/log/nginx/error.log) and not block any bad scored request.

How It Works

The naxsi_core.rules are responsible for scoring the HTTP input and looks like this (excerpt):
MainRule "str:;" "msg:; in stuff" "mz:BODY|URL|ARGS" "s:$SQL:4" id:1008;
MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie"
"s:$XSS:8" id:1302;
MainRule "str:&#" "msg: utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie"
"s:$EVADE:4" id:1400;
MainRule "*|.asp*" "msg:asp/php file upload!" "mz:FILE_EXT"
"s:$UPLOAD:8" id:1500;
Insight this file is the logic configuration used to score the input; the result will be used in /etc/nginx/naxsi.rules to decide if such input may be allowed or not. The format is quite simple:
  1. Define what to look for: string (str:) or regular expression (rx:)
  2. Define message to report into logfiles (msg:)
  3. Put the rule a category (s:)
  4. Assign rule identifier (id:)
  5. Define where to look for (mz:) and short description below
mz entry Look in
URL URL path
ARGS HTTP argument
BODY HTML body entry
$HEADERS_VAR: HTTP header variable
Now let’s take a look on the second NAXSI config file /etc/nginx/naxsi.rules where the main NAXSI behavior is defined; this is how it looks like:

# config mode section
DeniedUrl "/RequestDenied";
# check rules section
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
Here is an explanation of the contents:
  1. LearningMode – activates learning mode; in this mode requests aren’t blocked and white lists may be created.
  2. SecRulesEnabled or SecRulesDisabled – to activate or disable NAXSI for this location/section.
  3. DeniedURL – redirect URL for blocked requests; can be an HTTP error code (like 4xx or 5xx) or forward to an HTML site with code to help track false-positives.
  4. CheckRule – per-category check scores; the score we saw above will be evaluated here. If a request hits a score in the naxsi.core.rules, this score will be recorded and added to each category (SQL, XSS, EVADE, ...) if the overall score for any of the categories is reached (8 in SQL per default) the input is treated as bad.
When you use the whitelist (positive secure model) approach you’ll find also the white-list entries (BasicRule statement) in this config file:
# Whitelist '|', as it's used on the /report/ page, in argument 'd'
BasicRule wl:1005 "mz:$URL:/report/|$ARGS_VAR:d";
# Whitelist ',' on URL zone as it's massively used for URL rewritting !
BasicRule wl:1008 "mz:URL";
The entry above will result in disabling some part of the check rule in naxsi_core.rules allowing a specific behavior and eliminate false-positives. BasicRule could be more or less specific at your pace (and security needs).

Information Gathering

At this stage we have our test installation inspecting the HTTP flow and reporting bad things in the /var/log/nginx/error.log file, let’s take a look on how NAXSI error entry looks like:

> error.log <
2012/11/30 04:57:55 [error] 9866#0: *47 NAXSI_FMT: ip=x.y.z.36&
var_name0=, client:x.y.z.36, server: localhost, 
request: "GET /testmiztot HTTP/1.1", host: "x.y.z.52"

As you can see it’s a special error message: it was generated on a “special” HTTP URL GET request and is not a really bad request. To test the functionality on the WAF I’ve created this test-rule in the  

MainRule "str:testmiztot" "msg:foobar test pattern" "mz:URL" "s:$SQL:42" id:1999;

This rule will trigger whenever the testmiztot string is detected in the address part (mz:URL) of the HTTP GET request and score as 42 (s:$SQL:42) in the SQL category. This will be evaluated as bad because the SQL category limit is 8. The msg: text will be shown in the learning mode log used to generate the white-list baseline.

 Analyze in detail the meaning of these commands:
  • LearningMode - Training Mode is enabled. Requests are not blocked, White-shaped leaf.
  • SecRulesEnabled - NAXSI enabled for this location. If you want to switch off for another location (for example, a protected inner zone), then do it SecRulesDisabled.
  • DeniedURL - URL redirect for the denied requests.
  • CheckRule - checking the "penalty points" query by category.
  • / Etc / nginx / mynaxsi.rules - generated rules (not yet gener - commented out).

Official Change Log For Naxsi 0.41:-
Feature: added support for FILE_EXT. We can now control file uploads names/extensions as well.
Added a rule for FILE_EXT into naxsi_core.rules
Added unit testing for FILE_EXT feature
Fixed erroneous log messages
Fixed an error on whitelist of types $URL:xxx|URL

To Know More :

To Download :

OWASP Naxsi Project :

NAXSI Matrix :

 NAXSI Presentation :

Monday, August 12, 2013

Useful Online Information Security Portals

Sandy ( Static & Dynamic Analysis ) : 

         Sandy developed under Indian Honeynet and is capable of doing both static and dynamic analysis of Malicious Office, Jar,HTML files at the moment. 


Two big issues faced by the security industry in general is,
  1. On how to analyze exploits in bulk and extract IP/controller information.
  2. On how to attribute to apt groups to exploits collected.


Sandy Version 1: [Beta testing]

  • Static | Dynamic Analyze Java exploits, Static analysis of Java malwares.
  • Limited support for office file formats.
  • Analysis of url having support for Firefox and IE browsers.
Sandy To do list:
  • Hpfeeds Integration.
  • Improve performace and analysis for doc samples.
  • Improve stability.
  • Add support for pdf,flash exploits.
  • Dynamic analysis of Java malwares, and Doc files.
  • Add support for pdf/flas files.
  • Add support for Android APK files.
  • In short there need to be a lot of improvement to make it useful :)
Sandy Snapshot :

Portal Link :

HoneyMap :

              HoneyMap shows a real-time visualization of attacks against the Honeynet Project's sensors deployed around the world. It leverages the internal data sharing protocol hpfeeds as its data source. Read this post to learn about the technical details and frequently asked questions. Before going into explanations, take a look at the map itself:

HoneyMap Snapshot:

Red markers on the map represent attackers, yellow markers are targets (honeypot sensors).

 Portal Link : ( New Real-Time Cyber attack Monitoring System )

                                            This Portal shows statistics of the early warning system of Deutsche Telekom. The corresponding sensors are operated from Deutsche Telekom and Partners,

Snapshot :

a cyberattack against an organization from the East Coast of the United States is taking place. If you’re interested in learning such information in real-time, you can check out, a new cyberattack monitoring service launched by Germany’s Deutsche Telekom.

Besides a real-time overview of current attacks, recorded by a total of 97 sensors, the website also provides statistics such as the top 15 source countries, distribution of attack targets, total number of attacks per day and overall sum of attackers per day.

Available in English and German, the information presented on the site is gathered from resources such as The Honeynet Project, HoneyMap, Kippo, Glastopf and dionaea.

Currently, the figures from the site show that a total of 2,402,722 cyberattacks were recorded last month as originating from Russia. Over 900,000 were traced back to Taiwan and 780,000 to Germany.

Portal Link :

SHODAN : (Sentient Hyper-Optimized Data Access Network)

            Shodan is a computer search engine which scans and searches any online devices such as webcams, routers, printers, iphones etc filtering based on User Agent & Country.SHODAN was created on Earth to serve as the artificial intelligence of the TriOptimum Corporation's research and mining space station Citadel.

Snapshot :

Portal Link :

Thanks ..