-
Notifications
You must be signed in to change notification settings - Fork 606
olds Philosophy
Technically, naxsi is a third party nginx module, available as a package for many UNIX-like platforms. This module, by default, reads a small subset of simple rules containing known patterns involved in websites vulnerabilities and exploitation. For example, <, | or drop are not supposed to be part of a URI.
Being very simple, those patterns may match legitimate queries, it is naxsi's administrator duty to add specific rules that will whitelist those legitimate behaviours. The administrator can either add whitelists manually by analysing nginx's error log, or (recommended) start the project by an intensive auto-learning phase that will automatically generate whitelisting rules regarding website's behaviour.
In short, Naxsi behaves like a DROP-by-default firewall, the only job needed is to add required ACCEPT rules for the target website to work properly.
As Naxsi relies on whitelists to avoid false positives (even more than with a "classic" WAF), it comes with a tool called nxapi that helps the administrator to create the appropriate whitelists for an application. If you are using common web applications 'out of the box', you might as well find pre-generated whitelists here
Naxsi relies on a positive model, which has multiple advantages, but comes with some extra constraints :
- Fast : Minimalist, Lightweight runtime processing
- Resilient : Signature-less design allows improved resilience against obfuscated / complex attacks
- Update independent : Signature-less design allows sustainable security, even without updates
- Configuration : Positive approach requires a heavier whitelisting process than negative model
- Not Idiot Proof : As naxsi behaves like a network firewall, if you are setting up too laxist rules, your web application will not be protected correctly.