Skip to content

@buixor buixor released this Jun 27, 2018 · 18 commits to master since this release

This release mostly aims at integrating HTTP2 support into naxsi.

  • http2 support (1289e50, 1c8ce05)
  • improvement : Avoid rule collision on virtual-patching (ec4ce3e)
  • fix a potential null-byte issue on form/url-encoded POST payloads
  • added a new internal rule 19 to allow users to only rely on lib-injection (951123a)
  • improved json parsing (this is useful if you're doing CSP) (#420)
  • make naxsi more verbose in case of user-induced errors (#424 #311 )
Assets 4
Jun 19, 2018
add internal rule with id #19 that is triggered when no MainRules are…
… present
Pre-release

@buixor buixor released this Nov 7, 2017 · 29 commits to master since this release

This release mostly aims at integrating HTTP2 support into naxsi.

  • http2 support (1289e50, 1c8ce05)
  • improvement : Avoid rule collision on virtual-patching (ec4ce3e)
  • fix a potential null-byte issue on form/url-encoded POST payloads
Assets 4

@buixor buixor released this Feb 14, 2017 · 55 commits to master since this release

Version 0.55.3 fixed a bug where two rules in LOG and a DROP could conflict if a request was tagged as DROP but not BLOCK.

Assets 4

@buixor buixor released this Feb 6, 2017 · 60 commits to master since this release

Version 0.55.2 fixed a bug where when two consecutive virtual patching rules on the same zone are checked, a mismatch of the matchzone on the first one would make the following one fail as well.

Assets 4

@blotus blotus released this Sep 16, 2016

Version 0.55.1 fixes a build issue when naxsi was used with mod_lua and other modules.

Assets 4

@buixor buixor released this Sep 13, 2016 · 72 commits to master since this release

Version 0.55 brings one main improvement :

It also brings some bug-fixes :

  • Refuse to load with incoherent rules : #283
  • Fixed some matchzone bugs that could lead to rules being incorrectly triggered : #282 #279
  • Better^WLess worse Makefile

This should be the last release with nxapi/nxtool included, as it's being rewritten.

As usual, happy hacking and feedback is welcome !

Assets 4
Pre-release
Pre-release

@buixor buixor released this May 19, 2016 · 119 commits to master since this release

This is RC2 for naxsi 0.55 :

NEW

  • Added support for RAW_BODY (rules to be matched against the full, raw body. Can be useful to match rules against unparsed content : XML, serialized java objects etc.)
  • Confirmed support as a dynamic module (introduced in nginx 1.9.11)
  • Better libinjection integration (can be used to make virtual-patching)
# drop any request that libinjection considers as SQLi (checked only in GET variable named "id")
MainRule id:4242 "d:libinj_sql" "mz:$ARGS_VAR:id" "s:DROP";
  • Better blacklist matchzones (can now be as precise as whitelists)
# matches "test" on variable named "aa" or "ab" as long as they target url "/foo"
MainRule id:4241 "str:test" "mz:$URL:/foo|$ARGS_VAR:aa|$ARGS_VAR:ab" "s:$XSS:8";

BUGFIXES

Assets 3
Pre-release
Pre-release

@buixor buixor released this Mar 25, 2016 · 166 commits to master since this release

This is release candidate for naxsi 0.55 :

  • Added support for RAW_BODY (rules to be matched against the full, raw body. Can be useful to match rules against unparsed content : XML, serialized java objects etc.)
  • Confirmed support as a dynamic module (introduced in nginx 1.9.11)
  • Better makefile for testing & dev, increased coverage
  • Minor bug-fixes (#120, #241, #217, #231)
Assets 2

@buixor buixor released this Sep 29, 2015 · 247 commits to master since this release

CHANGES - CORE (from 0.53-2 "AppleJack") :

  • increased PCRE output vector from 6 to 30 (from 2 match groups to 10)
  • removed negative rule on content-types (naxsi_core.rules) as naxsi supports json
  • Fixed broken EXLOG on |NAME match zones (issues/110)
  • Integrated libinjection (xss/sqli)

CHANGES - NXAPI (from 0.53-2 "AppleJack") :

  • NXAPI can now generate negative whitelists based on variable type (ie, it will block requests that do not match the rule).
  • Add of coordonates to ES and country
  • Refuse to tag events without server name
  • Support of global_deny_rules and deny_rules
  • Support for regex in filters

Signed release : 2685AED4

Assets 3
You can’t perform that action at this time.