Skip to content
This repository has been archived by the owner on Nov 8, 2023. It is now read-only.

Mode with filtering unknown variables/headers [enhancement] [idea] #321

Closed
selivan opened this issue Oct 7, 2016 · 6 comments
Closed

Mode with filtering unknown variables/headers [enhancement] [idea] #321

selivan opened this issue Oct 7, 2016 · 6 comments
Assignees
@buixor
Labels
enhancement question Usability

Comments

@selivan
Copy link
Contributor

selivan commented Oct 7, 2016
edited by jvoisin
Loading

Our webapp has API, that is used by our clients. They often implement it sloppily with a lot of mistakes, sending requests with additional variables, containing special symbols. This variables are not used by our application and so they are harmless. But naxsi blocks this requests anyway.

I suggest new mode for naxsi: allowed headers and GET/POST variables are explicitly set, other are just filtered, without blocking query. This mode will not weaken protection, and will significantly reduce number of false positives.

Something like this:

# http context
naxsi_mode filter_not_allowed;
# server and location context
naxsi_allowed_headers cookie, accept-encoding, accept-language, cache-control, connection, dnt, host, pragma, referrer, user-agent;
naxsi_allowed_get_args: id, start, count, filter, lang;
naxsi_allowed_post_vars: user, password, remember_me, submit;
@jvoisin
Copy link
Contributor

jvoisin commented Oct 9, 2016
edited
Loading

You can already to that via whitelisting, for example:

BasicRule "mz:$HEADERS_VAR_X:!(cookie)|$HEADERS_VAR_X:!(accept-encoding)|$HEADERS_VAR_X:!(accept-language)|$HEADERS_VAR_X:!(cache-control)|$HEADERS_VAR_X:!(connection)|$HEADERS_VAR_X:!(dnt)|$HEADERS_VAR_X:!(host)|$HEADERS_VAR_X:!(pragma)|$HEADERS_VAR_X:!(user-agent)";

It would be less ghetto to do it that way once #271 is fixed ;)

@selivan
Copy link
Contributor Author

selivan commented Oct 9, 2016
edited
Loading

Nope, this will allow all unknown headers and variables. That is dangerous: programmers can add new variables without notifying devops(actually, they do it sometimes, and then come to me arguing "why is the production broken?"), and this variables are left unfiltered. Or one of used frameworks/libraries can have "magic" headers or variables, we are not aware about. And they are left unfiltered. This approach weakens defense.

I want not just to whitelist, but to filter unknown variables/headers. So the defense is not weakened.

P.S. Voted up #271

@buixor
Copy link
Contributor

buixor commented Oct 11, 2016
edited by jvoisin
Loading

Hello @selivan,

If I understand correctly you really want to strip out all the variables that would not be specified by the naxsi_allowed_headers/naxsi_allowed_get_args etc?

@selivan
Copy link
Contributor Author

selivan commented Oct 11, 2016

Hi @buixor,

Yes, I want to strip them out. That will prevent sloppy queries from being blocked, yet not weakening the security. Actually, it will strengthen security a little.

@buixor
Copy link
Contributor

buixor commented Oct 14, 2016

Hello,

We will consider, however, it would require really altering the incoming request, which has quite a lot of implications. Thanks for the idea anyway :)

@selivan
Copy link
Contributor Author

selivan commented Oct 14, 2016

You are welcome :) I am not expecting this to be done any time soon, but it would be helpful for use cases like ours.

@mremande mremande closed this as completed Nov 8, 2023
@selivan selivan mentioned this issue Nov 8, 2023
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@buixor buixor

Labels
enhancement question Usability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jvoisin @buixor @selivan @mremande