Testing whitelist rules with ANY match zone

Question

Testing whitelist rules with ANY match zone

Napsty opened this issue 2 years ago · comments

Thanks for having added the ANY match zone, which can be combined with either mz:$URL: or mz:$URL_X: according to 5c93369#diff-c255b088a4dee2f1282d1dccd609ed178431d1fa74815571342c6be2cde11cbcR196

However I'm having troubles getting this to work.

WL rule:

BasicRule wl:1000 "mz:$URL:/|ANY";

Request:

$ curl "http://192.168.15.187/?id=)union%27select" -I
HTTP/1.1 418 
Server: nginx/1.18.0
Date: Sat, 19 Nov 2022 10:20:33 GMT
Content-Length: 0
Connection: keep-alive

Error log:

2022/11/19 10:20:33 [error] 22103#22103: *25 NAXSI_FMT: ip=192.168.15.20&server=192.168.15.187&uri=/&config=block&rid=b35f05072a781c60fc5356db4b272717&cscore0=$SQL&score0=8&zone0=ARGS&id0=1000&var_name0=id, client: 192.168.15.20, server: _, request: "HEAD /?id=)union%27select HTTP/1.1", host: "192.168.15.187"

If I change the WL rule to the following (using ARGS instead of ANY):

BasicRule wl:1000 "mz:$URL:/|ARGS";

When I launch the same curl request, the id 1000 is not blocked anymore (naxsi now blocks an additional ID 1011).

2022/11/19 10:23:40 [error] 22129#22129: *26 NAXSI_FMT: ip=192.168.15.20&server=192.168.15.187&uri=/&config=block&rid=056a1eb34e5d61c0917d1f869074ef41&cscore0=$SQL&score0=4&cscore1=$XSS&score1=8&zone0=ARGS&id0=1011&var_name0=id, client: 192.168.15.20, server: _, request: "HEAD /?id=)union%27select HTTP/1.1", host: "192.168.15.187"

When I whitelist both IDs using ARGS as target:

BasicRule wl:1000,1011 "mz:$URL:/|ARGS";

The curl request works:

$ curl "http://192.168.15.187/?id=)union%27select" -I
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Sat, 19 Nov 2022 10:25:47 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 21 Sep 2022 13:21:27 GMT
Connection: keep-alive
ETag: "632b0fd7-264"
Accept-Ranges: bytes

But trying the same with ANY target won't work:

BasicRule wl:1000,1011 "mz:$URL:/|ANY";

2022/11/19 10:27:18 [error] 22181#22181: *28 NAXSI_FMT: ip=192.168.15.20&server=192.168.15.187&uri=/&config=block&rid=7176c84b68184d1f8e06bc48cb87c740&cscore0=$SQL&score0=8&zone0=ARGS&id0=1000&var_name0=id, client: 192.168.15.20, server: _, request: "HEAD /?id=)union%27select HTTP/1.1", host: "192.168.15.187"

Can you confirm or is there something else which needs to be done?

Giovanni · Answer 1 · Sat Nov 19 2022 20:47:21 GMT+0800 (China Standard Time)

i belive this is an issue with the $URL: filter and URL matchzone. you can't have both.

Claudio Kuenzler · Answer 2 · Sat Nov 19 2022 21:51:45 GMT+0800 (China Standard Time)

Do you have an example how to get to use the ANY match zone?

Giovanni · Answer 3 · Sun Nov 20 2022 02:36:46 GMT+0800 (China Standard Time)

Can you test the open PR and check if it fixes the issue?

Claudio Kuenzler · Answer 4 · Mon Nov 21 2022 19:55:03 GMT+0800 (China Standard Time)

Sorry, did not find time to do this yet.

Giovanni · Answer 5 · Mon Nov 21 2022 20:34:22 GMT+0800 (China Standard Time)

it's ok, i have added a test for this.

Claudio Kuenzler · Answer 6 · Mon Nov 21 2022 20:54:33 GMT+0800 (China Standard Time)

Re-compiled the module with the current version of the main branch. Yes, it's working now!

WL Rule:

BasicRule wl:1000,1011,1013 "mz:$URL:/|ANY";

Request:

$ curl "http://192.168.15.187/?id=)union%27select" -I
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Mon, 21 Nov 2022 12:53:23 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 21 Sep 2022 13:21:27 GMT
Connection: keep-alive
ETag: "632b0fd7-264"
Accept-Ranges: bytes

Thanks!