Shulou(Shulou.com)06/01 Report--

This article mainly introduces the example analysis of nginx-naxsi whitelist rules, which has a certain reference value, and interested friends can refer to it. I hope you will gain a lot after reading this article.

Whitelist rule syntax:

BasicRule wl:ID [negative] [mz: [$URL:target_url] | [match_zone] | [$ARGS_VAR:varname] | [$BODY_VARS:varname] | [$HEADERS_VAR:varname] | [NAME]]

Wl:ID (White List ID) which interception rules will be added to the whitelist wl:0 add all interception rules to the whitelist wl:42 add the interception rule with ID 42 to the whitelist wl:42,41,43 add the interception rule with ID 42 and 43 to the whitelist wl:-42 add all interception rules to the whitelist, except for the interception rule with ID 42

Mz: (Match Zones)

The whole parameter of ARGSGET, such as the parameter name of the foo=bar&in=%20 $ARGS_VARGET parameter, such as the parameter name of the foo and in$ARGS_VAR_X regular matching GET parameter in foo=bar&in=%20, the name of the entire HTTP protocol header $HEADERS_VARHTTP protocol header, the name of the HEADERS_VAR_X regular matching HTTP protocol header, the entire parameter content of the BODYPOST, the parameter name of the BODY_VARPOST parameter, the parameter name of the BODY_VAR_X, the parameter name of the POST parameter, the parameter name URLURL (? The former) URL_X regular matching URL (? ) FILE_EXT file name (the file name that POST uploaded when uploading the file)

Whitelist configuration example

Take rule # 1000 as an example: rule # 1000 is a rule that filters SQL keywords such as select, update, delete, insert, etc.

The rule states that BasicRule wl:1000; completely disables interception rule # 1000 in this subrule. Since there is no specified area, all are added to the whitelist. BasicRule wl:1000 "mz:$ARGS_VAR:foo"

Disable intercept rule # 1000 in the value of all GET parameters named foo

Requests such as http://mike.hi-linux.com/?foo=select * from demo will not be filtered.

BasicRule wl:1000 "mz:$URL:/bar | ARGS"

The parameter in the GET request with URL / bar disables intercept rule # 1000

The following similar requests are not filtered:

Http://mike.hi-linux.com/bar?my=select * from demo http://mike.hi-linux.com/bar?from=weibo

BasicRule wl:1000 "mz:ARGS | NAME"

Disable interception rule # 1000 for all parameter names (names only, no parameter values) in all GET requests

The following requests are not filtered:

Http://mike.hi-linux.com/bar?from=weibo

The following requests are filtered:

Http://mike.hi-linux.com/bar?foo=select

Because select is a parameter value, it is not in the whitelist range.

BasicRule wl:0 "mz:$URL_X: ^ / upload/ (. *). (. *) $| URL"

Disable all intercept rules for URL that conform to ^ / upload/ (. *). (. *) $regular rules in all requests

Similar http://mike.hi-linux.com/upload/select.db requests are not filtered (the # 1000 intercept rule would have been triggered).

Practical whitelist rules # vi naxsi_BasicRule.confBasicRule wl:1010,1011 "mz:$ARGS_VAR:rd"; BasicRule wl:1015,1315 "mz:$HEADERS_VAR:cookie"; Thank you for reading this article carefully. I hope the article "sample Analysis of nginx-naxsi whitelist rules" shared by the editor will be helpful to everyone. At the same time, I also hope that you will support and pay attention to the industry information channel, and more related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.