NAXSI: Nginx Anti XSS & SQL Injection.

Testing XSS and SQL injection to the Nginx server

NAXSI: Nginx Anti XSS & SQL Injection.

INTRODUCTION TO NAXSI

Naxsi comes with its own core ruleset and is extensible with user-specific rulesets. The configuration takes place in the Nginx context. Thanks to scores for individual rules and customizable thresholds for block actions, the WAF can be adapted to different environments and web applications.

Naxsi can check different values, such as URLs, request parameters, cookies, headers, or the POST body, and it can be switched on or off at location level in the Nginx configuration. Automatic whitelist creation makes it easy to deploy the firewall upstream and rule out 100 percent of false positives. Other tools, such as NX-Utils and Doxi, facilitate administration, report generation, and ruleset updates.

Naxsi comes with NX-utils, which is very useful for generating whitelists and reports. First, the NX-utils collection includes intercept mode, which allows Naxsi to save requests blocked by the WAF for future reports and whitelists in a database, and report mode, which visualizes the stored events. NX-Utils is currently under construction and will provide improved report processing and filtering to analyze the WAF events more precisely in a later version.

Modes: Live vs. Learning

Naxsi can operate in two modes: Live and Learning (Figure 3). Like any WAF or IDS, Naxsi must be adapted for the application. Developers can take very different approaches when programming web applications. For instance, 2KB cookies with large chunks of disorganized data are not uncommon and push even experienced WAF admins to the brink of madness. For these cases, Learning mode allows you to test an application fully behind a protected test domain and generate appropriate whitelists from the queries and events, which you can then feed to an active WAF in Live operations.

image.png

In Learning mode, requests are registered but not blocked. Whitelists can be generated from the false positives to prevent them from occurring in Live operation.

INSTALLATION OF NAXSI AND INTERGATION WITH NGINX

Install required dependent packages

yum install -y perl perl-devel perl-ExtUtils-Embed libxslt libxslt-devel libxml2 libxml2-devel gd gd-devel GeoIP GeoIP-devel

Check your nginx version so that we can download the same version to compile modules with naxsi.

nginx -v
wget http://nginx.org/download/nginx-1.20.1.tar.gz

Download Perl Compatible Regular Expressions:

wget https://udomain.dl.sourceforge.net/project/pcre/pcre/8.40/pcre-8.40.tar.gz  --no-certificate-check && tar xzf pcre-8.40.tar.gz

Downioad zlib library:

wget https://zlib.net/fossils/zlib-1.2.11.tar.gz && tar xzf zlib-1.2.11.tar.gz

Download openssl :

wget https://www.openssl.org/source/openssl-1.1.0f.tar.gz && tar xzf openssl-1.1.0f.tar.gz

Download NAXSI :

wget https://github.com/nbs-system/naxsi/archive/master.zip && unzip master.zip

Head over to the nginx folder that we downloaded earlier and configure the below modules in the nginx directory.

./configure --prefix=/etc/nginx \
      --sbin-path=/usr/sbin/nginx \
      --modules-path=/usr/lib64/nginx/modules \
      --conf-path=/etc/nginx/nginx.conf \
      --error-log-path=/var/log/nginx/error.log \
      --pid-path=/var/run/nginx.pid \
      --lock-path=/var/run/nginx.lock \
      --user=nginx \
      --add-module=../naxsi-master/naxsi_src  --group=nginx \
      --build=CentOS \
      --builddir=nginx-1.14.0 \
      --with-select_module \
      --with-poll_module \
      --with-threads \
      --with-file-aio \
      --with-http_ssl_module \
      --with-http_v2_module \
      --with-http_realip_module \
      --with-http_addition_module \
      --with-http_xslt_module=dynamic \
      --with-http_image_filter_module=dynamic \
      --with-http_geoip_module=dynamic \
      --with-http_sub_module \
      --with-http_dav_module \
      --with-http_flv_module \
      --with-http_mp4_module \
      --with-http_gunzip_module \
      --with-http_gzip_static_module \
      --with-http_auth_request_module \
      --with-http_random_index_module \
      --with-http_secure_link_module \
      --with-http_degradation_module \
      --with-http_slice_module \
      --with-http_stub_status_module \
      --http-log-path=/var/log/nginx/access.log \
      --http-client-body-temp-path=/var/cache/nginx/client_temp \
      --http-proxy-temp-path=/var/cache/nginx/proxy_temp \
      --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
      --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
      --http-scgi-temp-path=/var/cache/nginx/scgi_temp \
      --with-mail=dynamic \
      --with-mail_ssl_module \
      --with-stream=dynamic \
      --with-stream_ssl_module \
      --with-stream_realip_module \
      --with-stream_geoip_module=dynamic \
      --with-stream_ssl_preread_module \
      --with-compat \
      --with-pcre=../pcre-8.40 \
      --with-pcre-jit \
      --with-zlib=../zlib-1.2.11 \
      --with-openssl=../openssl-1.1.0f \
      --with-openssl-opt=no-nextprotoneg \
      --with-debug \

Install the GCC modules :

yum install gcc-c++

Compile the modules:

make
make install

Now let's create a symlink for /usr/lib64/nginx/modules to /etc/nginx/modules directory, so that you can load dynamic modules in nginx configuration like this load_module modules/ngx_foo_module

sudo ln -s /usr/lib64/nginx/modules   /etc/nginx/modules

Check the configuration of nginx :

sudo nginx -t

Enable nginx and reload daemon.

systemctl daemon-reload
systemctl enable nginx
systemctl start nginx

Head over to naxsi-master folder and copy naxsi_core.rules file to /etc/nginx

cp naxsi_core.rules /etc/nginx

Go to nginx config file and add these two lines like shown below:

include  /etc/nginx/naxsi_core.rules;
include /etc/nginx/naxsi.rules;

You might have realised that, naxsi.rules doesn’t present in /etc/nginx/ folder. So a we should create the file

vi /etc/nginx/naxsi.rules

As I have already mentioned in the beginning that naxsi has 2 rule. In this document I am going to use LIVE mode to block all the payloads. By heading over to /naxsi.rules and commenting out the LEARNING MODE

image.png

Testing XSS scripting on the website.

As we can see there is a payload in the URL, As I have enabled the LIVE mode, it blocks the payload and redirects to the 404 error page generating a log.

image.png

As NAXSI is a third party integreation to NGINX, so all the logs from NAXSI is sent to error log of NGINX

image.png

Testing SQL injection on the website.

As we can see there is a payload in the URL, As I have enabled the LIVE mode, it blocks the payload and redirects to the 404 error page generating a log.

image.png

As NAXSI is a third party integreation to NGINX, so all the logs from NAXSI is sent to error log of NGINX

image.png