NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
Version 0.55 brings one main improvement :
It also brings some bug-fixes :
This should be the last release with nxapi/nxtool included, as it's being rewritten.
As usual, happy hacking and feedback is welcome !
This is RC2 for naxsi 0.55 :
NEW
# drop any request that libinjection considers as SQLi (checked only in GET variable named "id")
MainRule id:4242 "d:libinj_sql" "mz:$ARGS_VAR:id" "s:DROP";
# matches "test" on variable named "aa" or "ab" as long as they target url "/foo"
MainRule id:4241 "str:test" "mz:$URL:/foo|$ARGS_VAR:aa|$ARGS_VAR:ab" "s:$XSS:8";
BUGFIXES
This is release candidate for naxsi 0.55 :
CHANGES - CORE (from 0.53-2 "AppleJack") :
CHANGES - NXAPI (from 0.53-2 "AppleJack") :
Signed release : 2685AED4
Naxsi 0.54rc3
CHANGES - CORE :
CHANGES - NXAPI :
CHANGES - CORE :
CHANGES - NXAPI :
CHANGES - CORE :
CHANGES - NXAPI :
Minimal documentation for those wishing to try libinjection : Libinjection is integrated as internal rules increasing $LIBINJECTION_XSS and/or $LIBINJECTION_SQL by 4 at match. libinjection will be disabled by default, and needs to be turned on using either directives LibInjectionXss / LibInjectionSql or by using dynamic modifiers $naxsi_flag_libinjection_xss / $naxsi_flag_libinjection_sql. libinjection_sql/xss can ofc be whitelisted by their IDs (libinjection_sql = 17 / libinjection_xss = 18)
Changes from 0.53-1:
Release of naxsi 0.53-1 :
Naxsi-core 0.53-1 brings a lot of important features :
And of course, various bugfixes :
Extras :