Latest release

0.56

@buixor buixor released this Jun 27, 2018

This release mostly aims at integrating HTTP2 support into naxsi.

  • http2 support (1289e50, 1c8ce05)
  • improvement : Avoid rule collision on virtual-patching (ec4ce3e)
  • fix a potential null-byte issue on form/url-encoded POST payloads
  • added a new internal rule 19 to allow users to only rely on lib-injection (951123a)
  • improved json parsing (this is useful if you're doing CSP) (#420)
  • make naxsi more verbose in case of user-induced errors (#424 #311 )

0.56rc1: Collision reduce (#401)

@buixor buixor released this Nov 7, 2017 · 11 commits to master since this release

This release mostly aims at integrating HTTP2 support into naxsi.

  • http2 support (1289e50, 1c8ce05)
  • improvement : Avoid rule collision on virtual-patching (ec4ce3e)
  • fix a potential null-byte issue on form/url-encoded POST payloads

0.55.3

@buixor buixor released this Feb 14, 2017 · 37 commits to master since this release

Version 0.55.3 fixed a bug where two rules in LOG and a DROP could conflict if a request was tagged as DROP but not BLOCK.

makefile, not war

@buixor buixor released this Feb 6, 2017 · 42 commits to master since this release

Version 0.55.2 fixed a bug where when two consecutive virtual patching rules on the same zone are checked, a mismatch of the matchzone on the first one would make the following one fail as well.

makefile, not war

@blotus blotus released this Sep 16, 2016

Version 0.55.1 fixes a build issue when naxsi was used with mod_lua and other modules.

makefile, not war

@buixor buixor released this Sep 13, 2016 · 54 commits to master since this release

Version 0.55 brings one main improvement :

It also brings some bug-fixes :

  • Refuse to load with incoherent rules : #283
  • Fixed some matchzone bugs that could lead to rules being incorrectly triggered : #282 #279
  • Better^WLess worse Makefile

This should be the last release with nxapi/nxtool included, as it's being rewritten.

As usual, happy hacking and feedback is welcome !

makefile, not war

@buixor buixor released this May 19, 2016 · 101 commits to master since this release

This is RC2 for naxsi 0.55 :

NEW

  • Added support for RAW_BODY (rules to be matched against the full, raw body. Can be useful to match rules against unparsed content : XML, serialized java objects etc.)
  • Confirmed support as a dynamic module (introduced in nginx 1.9.11)
  • Better libinjection integration (can be used to make virtual-patching)
# drop any request that libinjection considers as SQLi (checked only in GET variable named "id")
MainRule id:4242 "d:libinj_sql" "mz:$ARGS_VAR:id" "s:DROP";
  • Better blacklist matchzones (can now be as precise as whitelists)
# matches "test" on variable named "aa" or "ab" as long as they target url "/foo"
MainRule id:4241 "str:test" "mz:$URL:/foo|$ARGS_VAR:aa|$ARGS_VAR:ab" "s:$XSS:8";

BUGFIXES

makefile, not war

@buixor buixor released this Mar 25, 2016 · 148 commits to master since this release

This is release candidate for naxsi 0.55 :

  • Added support for RAW_BODY (rules to be matched against the full, raw body. Can be useful to match rules against unparsed content : XML, serialized java objects etc.)
  • Confirmed support as a dynamic module (introduced in nginx 1.9.11)
  • Better makefile for testing & dev, increased coverage
  • Minor bug-fixes (#120, #241, #217, #231)

gin-rodjeur

@buixor buixor released this Sep 29, 2015 · 229 commits to master since this release

CHANGES - CORE (from 0.53-2 "AppleJack") :

  • increased PCRE output vector from 6 to 30 (from 2 match groups to 10)
  • removed negative rule on content-types (naxsi_core.rules) as naxsi supports json
  • Fixed broken EXLOG on |NAME match zones (issues/110)
  • Integrated libinjection (xss/sqli)

CHANGES - NXAPI (from 0.53-2 "AppleJack") :

  • NXAPI can now generate negative whitelists based on variable type (ie, it will block requests that do not match the rule).
  • Add of coordonates to ES and country
  • Refuse to tag events without server name
  • Support of global_deny_rules and deny_rules
  • Support for regex in filters

Signed release : 2685AED4