NAXSI ( Nginx Anti Xss & Sql Injection ) :
is an open source WAF ( Web Application Firewall ) , high performance, low rules maintenance, Web Application Firewall module for Nginx.
_ _ _ | \ | | __ ___ _____(_) | \| |/ _` \ \/ / __| | | |\ | (_| |> <\__ \ | |_| \_|\__,_/_/\_\___/_|
goal is to help people to secure their web application against attacks such as SQL Injection, Cross Site Scripting, Cross Site Request Forgery, Local & Remote file inclusions and such. The difference with most WAF (Web Applicative Firewalls) out there is that it does not rely on signatures to detect attacks. It is using a simpler model, where instead of trying to detect "known" attacks, it will detect unexpected characters in the HTTP request/arguments. Each kind of unusual character will increase the score of the request. If the request reaches a score that's considered "too high", the request will be denied, and the user will be redirected to a "forbidden" page. Yes, it works a bit like a spam system.
NAXSI Project:
The NAXSI Project is not so known like the ModSecurity open source project, but has a very interesting approach and features.
NAXSI uses the small and performant reverse proxy engine of Nginx web server instead of the full blown Apache engine used by ModSecurity (and from a security point of view: the lesser code).
Following are the major feature of NAXSI:
- Protects from XSS, SQL injections, CSRF, file inclusion
- Fast engine
- Relative simple configuration
- Check GET/POST requests
- Check HTTP headers and cookies
- Forbid dangerous symbols and SQL keywords
- Allows whitelist approach configuration creating a web application baseline
- Able to run in learn or production mode
- Uses no signature of known attack
Installation
Let’s do a quick installation with ubuntu sever 12.04 LTS. You may also install it from the sources following the Nginx prerequisites for reference. After you’ve installed the basic server with openssh, install NAXSI with:sudo apt-get install nginx-naxsi
Initial configuration
In the nginx configuration file (/etc/nginx/nginx.conf
) uncomment this line to activate the basic rulesets:## # nginx-naxsi config ## # Uncomment it if you installed nginx-naxsi ## include /etc/nginx/naxsi_core.rules;Note that this file is not an attack signature repository but rather a “score rules” set. Let’s configure NAXSI for our website
www.scip.ch
. To do so edit the Nginx configuration file in /etc/nginx/sites-enabled/default
and add following entries in the server
context:server { proxy_set_header Proxy-Connection “”; listen 80; location / { # put your website IP here proxy_pass http://80.74.141.2/; # put your website FQDN here proxy_set_header Host www.scip.ch; # Uncomment to enable naxsi on this location include /etc/nginx/naxsi.rules; } # Only for nginx-naxsi : process denied requests location /RequestDenied { # For example, return an HTTP error code return 418; } }
Now you should be able to start the
nginx
service that will bring up the NASXI with following command:sudo service nginx start
Be sure to check for error messages on the console or in the error log found in
/var/log/nginx/error.log
and verify with sudo netstat -antup
that nginx
daemon is opening the configured port (tcp/80 in our case). The output should look like this:Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 9865/nginx
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 8484/sshd
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 9627/0
tcp 0 0 127.0.0.1:6011 0.0.0.0:* LISTEN 9062/1
tcp 0 32 x.y.z.52:22 x.y.z.36:49749 ESTABLISHED 9046/sshd: anco
udp 0 0 0.0.0.0:68 0.0.0.0:* 649/dhclient3
To test if it works, start a browser session and point it to the ip address of your test server (
x.y.z.52:80
) and you should see the website you configured (www.scip.ch
) in the config file above. To continue further testing make sure you will proxying all web request to the nginx-NAXSI WAF. To accomplish this you can ether use the web-proxy configuration setting in the browser or fake the testing website ip address in your system hostfile. I prefer to put the ip address in my hostfile:x.y.z.52 www.scip.ch
Here are the location of the target
hosts
file (you need admin right to save changes):OS | Host Configuration File |
---|---|
Windows | %SYSTEMROOT%\system32\drivers\etc\hosts |
Linux | /etc/hosts |
www.scip.ch
and be sure that our test NAXSI WAF will inspect the content and remember that by now the configuration is in learning mode; it will only report errors in the nginx error logs (/var/log/nginx/error.log
) and not block any bad scored request.How It Works
Thenaxsi_core.rules
are responsible for scoring the HTTP input and looks like this (excerpt):MainRule "str:;" "msg:; in stuff" "mz:BODY|URL|ARGS" "s:$SQL:4" id:1008; # MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie"
"s:$XSS:8" id:1302; # MainRule "str:&#" "msg: utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie"
"s:$EVADE:4" id:1400; # MainRule "rx:.ph*|.asp*" "msg:asp/php file upload!" "mz:FILE_EXT"
"s:$UPLOAD:8" id:1500;Insight this file is the logic configuration used to score the input; the result will be used in
/etc/nginx/naxsi.rules
to decide if such input may be allowed or not. The format is quite simple:- Define what to look for: string (
str:
) or regular expression (rx:
) - Define message to report into logfiles (
msg:
) - Put the rule a category (
s:
) - Assign rule identifier (
id:
) - Define where to look for (
mz:
) and short description below
mz entry |
Look in |
---|---|
URL | URL path |
ARGS | HTTP argument |
BODY | HTML body entry |
$HEADERS_VAR: | HTTP header variable |
/etc/nginx/naxsi.rules
where the main NAXSI behavior is defined; this is how it looks like:# config mode section LearningMode; SecRulesEnabled; #SecRulesDisabled; DeniedUrl "/RequestDenied"; # # check rules section CheckRule "$SQL >= 8" BLOCK; CheckRule "$RFI >= 8" BLOCK; CheckRule "$TRAVERSAL >= 4" BLOCK; CheckRule "$EVADE >= 4" BLOCK; CheckRule "$XSS >= 8" BLOCK;
Here is an explanation of the contents:
LearningMode
– activates learning mode; in this mode requests aren’t blocked and white lists may be created.SecRulesEnabled
orSecRulesDisabled
– to activate or disable NAXSI for this location/section.DeniedURL
– redirect URL for blocked requests; can be an HTTP error code (like4xx
or5xx
) or forward to an HTML site with code to help track false-positives.CheckRule
– per-category check scores; the score we saw above will be evaluated here. If a request hits a score in thenaxsi.core.rules
, this score will be recorded and added to each category (SQL, XSS, EVADE, ...
) if the overall score for any of the categories is reached (8 inSQL
per default) the input is treated as bad.
BasicRule
statement) in this config file:# Whitelist '|', as it's used on the /report/ page, in argument 'd' BasicRule wl:1005 "mz:$URL:/report/|$ARGS_VAR:d"; # Whitelist ',' on URL zone as it's massively used for URL rewritting ! BasicRule wl:1008 "mz:URL";The entry above will result in disabling some part of the check rule in
naxsi_core.rules
allowing a specific behavior and eliminate false-positives. BasicRule could be more or less specific at your pace (and security needs).Information Gathering
At this stage we have our test installation inspecting the HTTP flow and reporting bad things in the/var/log/nginx/error.log
file, let’s take a look on how NAXSI error entry looks like:> error.log < 2012/11/30 04:57:55 [error] 9866#0: *47 NAXSI_FMT: ip=x.y.z.36&
server=x.y.z.52&uri=/testmiztot&total_processed=8589934625&
total_blocked=679029381853280060&zone0=URL&id0=1999&
var_name0=, client:x.y.z.36, server: localhost,
request: "GET /testmiztot HTTP/1.1", host: "x.y.z.52"
As you can see it’s a special error message: it was generated on a “special”
HTTP URL GET
request and is not a really bad request. To test the functionality on the WAF I’ve created this test-rule in the
/etc/nginx/naxsi_core.rules
:MainRule "str:testmiztot" "msg:foobar test pattern" "mz:URL" "s:$SQL:42" id:1999;
This rule will trigger whenever the
testmiztot
string is detected in the address part (mz:URL
) of the HTTP GET
request and score as 42 (s:$SQL:42
) in the SQL category. This will be evaluated as bad because the SQL category limit is 8
. The msg:
text will be shown in the learning mode log used to generate the white-list baseline.Analyze in detail the meaning of these commands:
- LearningMode - Training Mode is enabled. Requests are not blocked, White-shaped leaf.
- SecRulesEnabled - NAXSI enabled for this location. If you want to switch off for another location (for example, a protected inner zone), then do it SecRulesDisabled.
- DeniedURL - URL redirect for the denied requests.
- CheckRule - checking the "penalty points" query by category.
- / Etc / nginx / mynaxsi.rules - generated rules (not yet gener - commented out).
Official Change Log For Naxsi 0.41:-
Feature: added support for FILE_EXT. We can now control file uploads names/extensions as well.Added a rule for FILE_EXT into naxsi_core.rules
Added unit testing for FILE_EXT feature
Fixed erroneous log messages
Fixed an error on whitelist of types $URL:xxx|URL
To Know More : https://code.google.com/p/naxsi/
To Download : https://code.google.com/p/naxsi/downloads/list
OWASP Naxsi Project : https://www.owasp.org/index.php/OWASP_NAXSI_Project
NAXSI Matrix : https://docs.google.com/spreadsheet/ccc?key=0AjuNPnOoex7SdG5fUkhfc3BCSjJQbVVrQTg4UGU2YVE#gid=0
NAXSI Presentation : http://www.slideshare.net/phdays/naxsi-an-open-source-waf-for-nginx