Question of captcha
20 views
Skip to first unread message
Éder Ferreira
Nov 5, 2014, 8:20:54 AM11/5/14
to naxsi-...@googlegroups.com
Gentlemen,
anybody here have an application with captcha? (avoiding false positives)
anybody here have an application with captcha? (avoiding false positives)
Could show as was the configuration file?
Thanks!!
Thanks!!
bui
Nov 5, 2014, 8:26:37 AM11/5/14
to naxsi-discuss
Hi,
I guess you should treat it as any other whitelist ? Or does it have something very specific ?
--
You received this message because you are subscribed to the Google Groups "naxsi-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to naxsi-discus...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Éder Ferreira
Nov 5, 2014, 8:46:10 AM11/5/14
to naxsi-...@googlegroups.com
is something more specific...eg:
Wanted to know how do I redirect a User to a page captcha when the User attempts to access the page "/admin/"
Wanted to know how do I redirect a User to a page captcha when the User attempts to access the page "/admin/"
Éder Ferreira
Nov 5, 2014, 8:51:07 AM11/5/14
to naxsi-...@googlegroups.com
Obs:
I'm testing the naxsi-nginx on a "DVWA" application
I'm testing the naxsi-nginx on a "DVWA" application
Éder Ferreira
Nov 5, 2014, 11:51:59 AM11/5/14
to naxsi-...@googlegroups.com
Another thing ... I do not find the file "forbidden.php" in:
https://github.com/brightbox/deb-nginx/tree/master/debian/modules/naxsi/contrib/fp-reporter
can anyone help?
https://github.com/brightbox/deb-nginx/tree/master/debian/modules/naxsi/contrib/fp-reporter
can anyone help?
Sébastien Blot
Nov 5, 2014, 12:17:25 PM11/5/14
to naxsi-...@googlegroups.com
Hi,
The fp-reporter was just a POC of what you can do to handle false
positives on your website, and is not supported (i can't even find it
on our github repo or in the old google code repo, and from a quick
look, the script seems do not do anything with data besides displaying
it back to the user, and is vulnerable to XSS so please, don't use it
like this :)).
The forbidden.php seems to be a typo, you should read fp-reporter.php.
If you want to use it, the basic idea to redirect the user on this
file when naxsi blocks a request, for example if nginx is used as a
reverse-proxy (and the DeniedURL is set to /RequestDenied):
location /RequestDenied {
proxy_pass http://10.0.01/fp-reporter.php;
}.
Also, do not use the package provided by brightbox as it uses a very
old naxsi version (0.48 was released more than 2 years ago). You
should get the source code from the repo
(https://github.com/nbs-system/naxsi/) and compile nginx yourself (you
can use this guide to help you :
https://github.com/nbs-system/naxsi/wiki/installation)
The fp-reporter was just a POC of what you can do to handle false
positives on your website, and is not supported (i can't even find it
on our github repo or in the old google code repo, and from a quick
look, the script seems do not do anything with data besides displaying
it back to the user, and is vulnerable to XSS so please, don't use it
like this :)).
The forbidden.php seems to be a typo, you should read fp-reporter.php.
If you want to use it, the basic idea to redirect the user on this
file when naxsi blocks a request, for example if nginx is used as a
reverse-proxy (and the DeniedURL is set to /RequestDenied):
location /RequestDenied {
proxy_pass http://10.0.01/fp-reporter.php;
}.
Also, do not use the package provided by brightbox as it uses a very
old naxsi version (0.48 was released more than 2 years ago). You
should get the source code from the repo
(https://github.com/nbs-system/naxsi/) and compile nginx yourself (you
can use this guide to help you :
https://github.com/nbs-system/naxsi/wiki/installation)
Éder Ferreira
Nov 12, 2014, 4:55:33 AM11/12/14
to naxsi-...@googlegroups.com
Thanks!!!
Reply all
Reply to author
Forward
0 new messages