-
Notifications
You must be signed in to change notification settings - Fork 606
Mode with filtering unknown variables/headers [enhancement] [idea] #321
Comments
You can already to that via whitelisting, for example:
It would be less ghetto to do it that way once #271 is fixed ;) |
Nope, this will allow all unknown headers and variables. That is dangerous: programmers can add new variables without notifying devops(actually, they do it sometimes, and then come to me arguing "why is the production broken?"), and this variables are left unfiltered. Or one of used frameworks/libraries can have "magic" headers or variables, we are not aware about. And they are left unfiltered. This approach weakens defense. I want not just to whitelist, but to filter unknown variables/headers. So the defense is not weakened. P.S. Voted up #271 |
Hello @selivan, If I understand correctly you really want to strip out all the variables that would not be specified by the |
Hi @buixor, Yes, I want to strip them out. That will prevent sloppy queries from being blocked, yet not weakening the security. Actually, it will strengthen security a little. |
Hello, We will consider, however, it would require really altering the incoming request, which has quite a lot of implications. Thanks for the idea anyway :) |
You are welcome :) I am not expecting this to be done any time soon, but it would be helpful for use cases like ours. |
Our webapp has API, that is used by our clients. They often implement it sloppily with a lot of mistakes, sending requests with additional variables, containing special symbols. This variables are not used by our application and so they are harmless. But naxsi blocks this requests anyway.
I suggest new mode for naxsi: allowed headers and
GET
/POST
variables are explicitly set, other are just filtered, without blocking query. This mode will not weaken protection, and will significantly reduce number of false positives.Something like this:
The text was updated successfully, but these errors were encountered: