Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss]

Type your web-application parameters with naxsi
Sun 29 March 2015 — download

Since I'm doing my internship at NBS, I'm playing a lot with naxsi. It's a simple-stupid WAF, with basic rules that should keep the kiddies away.

It has an auto-learning mode, where you feed an Elastic Search instance with legitimate traffic (on a reverse proxy for example), and it will do its best to generate whitelists for your applications; since the default rules are pretty strict. And every modules/tools for naxsi is working on this model.

Since not everyone has an elastic-search instance, I rewrote the typification module so that you can now feed it with combined log format (CLF) instead.

It'll read your logs, parse your GET parameters, and try to find the narrowest type for them, to output naxsi rules, for example:

$ python typer.py /var/log/nginx/dog-nail-art.com.access.log
BasicRule negative "rx:^[0-9a-z?&=+_-]+$" "msg:typed (url parameter) parameter" "mz:$ARGS_VAR:feed" "s:BLOCK";
BasicRule negative "rx:^[0-9a-z]+$" "msg:typed (alphanum) parameter" "mz:$ARGS_VAR:ac" "s:BLOCK";
BasicRule negative "rx:^[0-9a-z]+$" "msg:typed (alphanum) parameter" "mz:$ARGS_VAR:utm_content" "s:BLOCK";
BasicRule negative "rx:^[0-9a-z]+$" "msg:typed (alphanum) parameter" "mz:$ARGS_VAR:fbconnect_action" "s:BLOCK";
BasicRule negative "rx:^[01]$" "msg:typed (boolean) parameter" "mz:$ARGS_VAR:bad_day" "s:BLOCK";
BasicRule negative "rx:^[0-9a-z]+$" "msg:typed (alphanum) parameter" "mz:$ARGS_VAR:utm_campaign" "s:BLOCK";
BasicRule negative "rx:^[01]$" "msg:typed (boolean) parameter" "mz:$ARGS_VAR:author" "s:BLOCK";
BasicRule negative "rx:^[0-9a-z]+$" "msg:typed (alphanum) parameter" "mz:$ARGS_VAR:gf_page" "s:BLOCK";
BasicRule negative "rx:^[01]$" "msg:typed (boolean) parameter" "mz:$ARGS_VAR:badday" "s:BLOCK";
BasicRule negative "rx:^[0-9a-z]+$" "msg:typed (alphanum) parameter" "mz:$ARGS_VAR:utm_medium" "s:BLOCK";
BasicRule negative "rx:^[0-9a-z]+$" "msg:typed (alphanum) parameter" "mz:$ARGS_VAR:type" "s:BLOCK";
BasicRule negative "rx:^[0-9a-f]+$" "msg:typed (hexadecimal) parameter" "mz:$ARGS_VAR:format" "s:BLOCK";
BasicRule negative "rx:^\d+$" "msg:typed (integer) parameter" "mz:$ARGS_VAR:paged" "s:BLOCK";
BasicRule negative "rx:^[0-9a-z]+$" "msg:typed (alphanum) parameter" "mz:$ARGS_VAR:lang" "s:BLOCK";
BasicRule negative "rx:^\d+$" "msg:typed (integer) parameter" "mz:$ARGS_VAR:page_id" "s:BLOCK";
BasicRule negative "rx:^[0-9a-z]+$" "msg:typed (alphanum) parameter" "mz:$ARGS_VAR:cmd" "s:BLOCK";
BasicRule negative "rx:^[0-9a-z]+$" "msg:typed (alphanum) parameter" "mz:$ARGS_VAR:m" "s:BLOCK";
BasicRule negative "rx:^\d+$" "msg:typed (integer) parameter" "mz:$ARGS_VAR:cat" "s:BLOCK";
BasicRule negative "rx:^\d+$" "msg:typed (integer) parameter" "mz:$ARGS_VAR:p" "s:BLOCK";

You may find this useful if you're hosting web applications with outdated and exploitable plugins.