BODY whitelist ineffective, requires BODY|NAME

44 views
Skip to first unread message

Adam Williams

unread,
Apr 28, 2016, 10:15:57 AM4/28/16
to naxsi-...@googlegroups.com
Hello,

I have the following naxsi_core.rules:

  MainRule "str:[" "msg:[, possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310;
  MainRule "str:]" "msg:], possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311;

Given a request such as:

  curl -d 'object[property]=see [1]' http://website.com


I'm seeing it blocked as expected:

  NAXSI_EXLOG: uri=/user&id=1310&zone=BODY&var_name=object[property]&content=see%20[1]
  NAXSI_EXLOG: uri=/user&id=1310&zone=BODY|NAME&var_name=see%20[1]&content=object[property]
  NAXSI_FMT: uri=/user&learning=0&vers=0.54&total_processed=1&total_blocked=1&block=1&cscore0=$XSS&score0=8&zone0=BODY&id0=1310&var_name0=object[property]&zone1=BODY|NAME&id1=1310&var_name1=object[property]


I'd like to whitelist with this:

  # Allow form field names/values with `[]`
  BasicRule  wl:1310,1311 "mz:BODY";


The request is blocked still:

  NAXSI_EXLOG: uri=/user&id=1310&zone=BODY|NAME&var_name=see%20[1]&content=object[property]
  NAXSI_EXLOG: uri=/user&id=1311&zone=BODY|NAME&var_name=see%20[1]&content=object[property]
  NAXSI_FMT: uri=/user&learning=0&vers=0.54&total_processed=1&total_blocked=1&block=1&cscore0=$XSS&score0=8&zone0=BODY|NAME&id0=1310&var_name0=object[property]&zone1=BODY|NAME&id1=1311&var_name1=object[property]


When I add another rule so that I have:

  # Allow form field names/values with `[]`
  BasicRule  wl:1310,1311 "mz:BODY";
  BasicRule  wl:1310,1311 "mz:BODY|NAME";


Then there is no more blocking.

This seems like a problem similar to https://github.com/nbs-system/naxsi/issues/275. Is this a problem, or should I expect it to work this way?

Thank you,

Adam


bui

unread,
Apr 29, 2016, 8:01:11 AM4/29/16
to naxsi-discuss
Hi,

From what I see, it's expected, as the [ ] patterns were found in BOTH the content of the variable ( BasicRule  wl:1310,1311 "mz:BODY"; ) and its name (BasicRule  wl:1310,1311 "mz:BODY|NAME";)


--
You received this message because you are subscribed to the Google Groups "naxsi-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to naxsi-discus...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages