naxsi, an open source waf for nginx

1 ©NBS System

Sécurité – Hébergement - Infogérance www.nbs-system.com 1

Naxsi, an open source WAF

for Nginx

©NBS System Sécurité – Hébergement - Infogérance

www.nbs-system.com

2 ©NBS System


3 ©NBS System

Sécurité – Hébergement - Infogérance www.nbs-system.com

A bit of background

(Seems webapp security is a good starter to talk about WAFs)

3 ©NBS System


4 ©NBS System


• Low technical skill needed to exploit

most vulnerabilities (SQLi)

• Most actors did not reach a good

awarness level yet

Overall security level of web applications evolves slowly , or at least not fast enough

(Nb of annual defaces, source: zone-h)

Because of these factors, number of attacks is dramatically growing

5 ©NBS System


� Just for May 2012 :

� Govs or affiliated :

� France

� Bahrain

� US

� Thailand

� Canada

� Israel

� …

� More than 300k accounts dumped each month

In Russia files includes you …

6 ©NBS System


Web apps Classic IT

7 ©NBS System


• Best mitigation : Patch

Not always possible : � Very complex or critical webapp � Lack of skill, knowledge lost

Your webapp security level can only be known once you performed an (expensive ?) security test on it.

8 ©NBS System


• When code patching is not an option: Web Application Firewalls

� Commercial WAFs :

� Not very affordable for small companies

or big infrastructures

� Extremely unequal quality

� Open source WAFs :

� Performance issues

� Maybe not « corporate » enough for most

users ?

� Maintenance time

9 ©NBS System


� As a pentester :

� Web sites are still one of the most vulnerable

entry points on a network

� And one of the most exposed as well !

� As a hoster :

� WebSite owners, even when web is their core

business, lack security awareness … and get

owned

� As a security consultant :

� CISO / Administrators are still frighten of

WAF’s side effects

� And the one using WAFs will only go for big,

expensive, corporate solutions (Hi Imperva!)

WHY U NO PROTECT ?

10 ©NBS System


Enough teasing !

(and enough jokes)

10 ©NBS System


11 ©NBS System


� When studying the idea of offering hardened web hosting for some of our clients,

we came accros several problems :

� Commercial WAF are way too expensive for big infrastructures (especially with

a lot of small/medium clients)

� Open Source WAFs (mod_security) are not fast enough (means: filtering POST

requests only if you don’t want to damage user experience)

� Both kinds requires a huge investment to keep security signatures up-to-date

12 ©NBS System


� (Apr 2011) Naxsi project idea was born :

� Hoster compliant WAF :

� Performances / Scalability

� Production grade WAF

� A WAF that doesn’t require signatures / updates

� Only when your site code base change

� And because defense is for once funnier than attack

13 ©NBS System


� Naxsi’s design is closer to a sateless firewall than an anti-virus

� Most WAFs are more web anti-viruses than firewalls

� Relies on a big, heavy, frequently updated base of signatures

� On the other hand, Naxsi does rely on signatures, but not in the way you might think

14 ©NBS System


� Naxsi relies on ~35 rules, targetting : SQLi, XSS, RFI/LFI, file uploads …

� A rule is defined as :

� A pattern (most of the time, one character, here : ‘ )

� Scores (indicating the kind of threat it’s linked to, here both SQL and XSS)

� Match Zones

� And a unique ID

MainRuleMainRuleMainRuleMainRule """"strstrstrstr:'" ":'" ":'" ":'" "msg:simplemsg:simplemsg:simplemsg:simple quotequotequotequote" " " " """"mz:ARGS|BODY|URLmz:ARGS|BODY|URLmz:ARGS|BODY|URLmz:ARGS|BODY|URL|$|$|$|$HEADERS_VAR:CookieHEADERS_VAR:CookieHEADERS_VAR:CookieHEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013" "s:$SQL:4,$XSS:8" id:1013" "s:$SQL:4,$XSS:8" id:1013" "s:$SQL:4,$XSS:8" id:1013;

� When a request reaches a « limit » score, an action si taken upon the request :

CheckRule "$SQL >= 8" BLOCK;

� Leaves a lot of room for fine-tuning

15 ©NBS System


� This naive approach has several advantages :

� Fast : No massive, expensive regex set to process

� Naive design : Naxsi doesn’t try to understand incoming requests. No need for

complex/costly transformation functions

� Predictability : Not relying on « real » signatures makes bypass less likely to

happen

� Small & Auditable code : <4K LOC

� But comes with a price :

� Whitelist configuration !

16 ©NBS System


Naxsi, a tweakable WAF

16 ©NBS System


17 ©NBS System


� Naxsi offers two « main » modes :

� Normal mode : « Blocked » requests are redirected to a specific location

� Learning mode : « To-be-blocked » requests are simply « copied » to a specific

location, and the original request is processed transparently

� Redirecting requests rather than « blocking » them offers various possibilities for

blocked requests :

� Return a specific error code to the user (HTTP 418: I'm a teapot)

� Return a static page

� Redirect user to a dynamic page (with captcha) to report false positives

� Anything LUA/PHP/<language> allows you to do

� Redirected requests contains both original request arguments, as well as « naxsi

signature » (in HTTP headers) :

ip=x.x.x.x&server=xx.ru&uri=/&total_processed=1&total_blocked=1&zone0=HEADER

S&id0=1308&var_name0=cookie&zone1=HEADERS&id1=1309&var_name1=cookie

18 ©NBS System


Naxsi in test bed

« Reliability of naxsi model versus obfuscated patterns »

18 ©NBS System


19 ©NBS System


0 div 1 union#foo*/*bar select#foo 1,2,current_user

0 div 1 union select 1,2,current_user

mod_sec : Transformation on comments leading to a bypass.

Naxsi : 2 SQL keywords, 4 SQL comments, blocked early

20 ©NBS System


hUserId=22768&FromDate=a1%27+or&ToDate=%3C%3Eamount+and%27

mod_sec : Victim of fragmentation (attack splitted accross several parameters)

Naxsi : Evaluates the whole request, sees multiple quotes, brackets, parenthesis

hUserId=22768&FromDate=a1'+or&ToDate=<>amount+and'')

21 ©NBS System


Naxsi in test bed

« Performances of the naxsi model »

21 ©NBS System


22 ©NBS System


Req

uest

s P

er S

econ

d

Concurrent connections

0

1000

2000

3000

4000

5000

6000

100 300 500 1000

NGINX

NGINX+NAXSI

APACHE

APACHE+MODSEC

Plateform: my laptop

23 ©NBS System


� With apache-bench (1k concurrent requests, 10k total requests, long URL with

arguments) :

Nginx Nginx+Naxsi Diff (%)

Total time 1.151 s 1.271 s 9,4%

RPS 8687.21 7866.73 9,4%

TPR (mean) 0.115 0.127 9,4%

Transfert Rate 1220.48 1198.45 1,8%

24 ©NBS System


Naxsi usage

« Hands on »

24 ©NBS System


25 ©NBS System


Learning Daemon

(nx_intercept)

WebSite Naxsi

User(s)

MySQL/Sqlite

26 ©NBS System


MySQL/Sqlite

BasicRule wl:1100 "mz:$BODY_VAR:redirect_to"; BasicRule wl:1005 "mz:$HEADERS_VAR:cookie" ; BasicRule wl:1010 "mz:$HEADERS_VAR:cookie" ;

Learning Daemon

(nx_extract)

Naxsinaxsi configuration

27 ©NBS System


� I won’t cover Ngnix setup, so let’s assume our setup is the following :

� Nginx+Naxsi is used as a reverse proxy to an existing website

� Naxsi setup is as :

SecRulesEnabled;

DeniedUrl "/RequestDenied";

LearningMode;

CheckRule "$SQL >= 8" BLOCK;

CheckRule "$RFI >= 8" BLOCK;

CheckRule "$TRAVERSAL >= 5" BLOCK;

CheckRule "$UPLOAD >= 5" BLOCK;

CheckRule "$XSS >= 10" BLOCK;

$ python nx_intercept.py -c ./naxsi-ui.conf

…

Pointing to nx_intercept :

server {

…

location / {

include "naxsi.conf";

proxy_pass http://x.x.x.x;

}

location /RequestDenied {

proxy_pass http://x.x.y.z:8080;

}

…

}

28 ©NBS System


� Naxsi’s learning daemons :

� Nx_intercept : http requests interception daemon, feeds the database

� Nx_extract : whitelist & statistics generation, fed from the database

[nx_extract]

username = naxsi_web

password = test

port = 8081

rules_path = /etc/nginx/core.rules

[nx_intercept]

port = 8080

[mysql]

username = naxsi

password = trivialpasswordormaybenot

hostname = 127.0.0.1

dbname = naxsi_sig

29 ©NBS System


While the user is browsing, exceptions are generated by Naxsi, and HTTP requests are forwarded to nx_intercept. Nx_intercept extracts signatures from forwarded HTTP requests, and put them into the database.

30 ©NBS System


� After browsing a bit (here two different pages), we can fire nx_extract, the whitelist

generation daemon :

31 ©NBS System


� Clicking on whitelist generation will get you there :

########### Rules Before Optimisation ################## #1 hits on rule 1005 (mysql keyword (|)) on url / from 1 different peers #BasicRule wl:1005 "mz:$URL:/|$HEADERS_VAR:cookie"; …. #BasicRule wl:1010 "mz:$URL:/test_securite_web|$HEADERS_VAR:cookie"; #1 hits on rule 1011 (parenthesis, probable sql/xss) on url /test_securite_web from 1 different peers ########### End Of Rules Before Optimisation ########### # (mysql keyword (|)) BasicRule wl:1005 "mz:$HEADERS_VAR:cookie"; # open parenthesis BasicRule wl:1010 "mz:$HEADERS_VAR:cookie"; # close parenthesis BasicRule wl:1011 "mz:$HEADERS_VAR:cookie"; BasicRule wl:1315 "mz:$HEADERS_VAR:cookie";

32 ©NBS System


Naxsi usage

« Hands on : User forms »

32 ©NBS System


33 ©NBS System


� But the real deal, with learning mode, is user forms !

� Cookies, URL and so on will be detected in one browsing session, but what about

user forms ? You need to fill them, with all « authorized » characters, which can be

boring.

� Thanks to Naxsi naive architecture, you can easilly fool him to reach your goal.

� Let’s add a rule or two in our naxsi’s location configuration :

BasicRule id:0 "str:123FREETEXT" "s:BLOCK" "mz:ARGS|BODY|URL";

BasicRule id:42 "str:123EMAIL" "s:BLOCK" "mz:ARGS|BODY|URL";

34 ©NBS System


� This two rules will allow us, whenever we will type « 123FREETEXT » or « 123EMAIL »

within a field (GET/POST) to trigger naxsi, and output whitelist for :

� Id:0 (which means *all* rules) whenever you input « 123FREETEXT »

� Id:42 (which doesn’t exist) whenever you input « 123EMAIL »

The idea here is to be able to simply tell naxsi « whitelist everything » in this field, in a

convenient way.

And regarding id:42, replacing it by the Ids you want to whitelist is left as an exercice to

the audience (mainly because it’s not supported by nx_extract yet ;p)

35 ©NBS System


� Using the pattern « 123FREETEXT » in the website will thus generate a whitelist for

« all » rules, on specific element :

BasicRule wl:0 "mz:$URL:/|$ARGS_VAR:s";

36 ©NBS System


Naxsi usage

« Hands on : User forms – another approach »

36 ©NBS System


37 ©NBS System


� Naxsi is parsing both variable names and content

� And most frameworks (magento, drupal etc.) provide « default » names, for several

kind of fields !

� Do you see my point ? Not yet maybe …

38 ©NBS System


� In the case of magento, form fields use hardcoded name depending on type of field,

such as :

� Firstname

� Lastname

� Email

� Password

� …

� As a specific example, « search » field will always be passed as « q » :

BasicRule id:9002 "rx:^q$" "s:BLOCK" "mz:ARGS|BODY|URL";

� And name fields are always named « firstname » in HTML forms :

BasicRule id:9003 "rx:^firstname$" "s:BLOCK" "mz:ARGS|BODY|URL";

39 ©NBS System


BasicRule wl:9002 "mz:$URL:/catalogsearch/result/|$ARGS_VAR:q|NAME";

BasicRule wl:9003

"mz:$URL:/customer/account/createpost/|$BODY_VAR:firstname|NAME";

� Thus, browsing the website, and using the forms, even without specific patterns, will

trigger the rules, and you will see in whitelist generation :

� This allows you to perform « passive » learning. Let users use the website (in learning

mode), let them write your whitelist rules ;)

41 ©NBS System


ip=x.x.x.&server=xxx.ro&uri=/wp-

cron.php&total_processed=8140&total_blocked=1954&

� Nx_intercept can as well be fed by logfiles, nginx logfiles.

� As Naxsi writes its signatures into Nginx’s error log :

� It means two things :

� You can use LearningMode, even without nx_intercept

� You can get cool & nice reporting on the period you want (just inject Nginx’s log

files for this period !)

42 ©NBS System


43 ©NBS System


45 ©NBS System


� Naxsi simplicity and naive design allows you to simply write rules for whatever you

want :

� Blocking robots ?

BasicRule id:X ‘str:BOT_USER_AGENT’ ‘mz:$HEADERS_VAR:user-agent’ ‘s:BLOCK’;

� People looking for PhpMyAdmin ?

Basicrule id:X ‘rx:*phpmy*’ ‘mz:URL’ ‘s:BLOCK’;

� As Naxsi writes signatures of attacks to Nginx’s error log, it’s fail2ban-friendly ;)

� Why not let the learning mode on, and simply rely on fail2ban to push away insisting

attackers ?

47 ©NBS System


� November 2011 : « Charlie Hebdo » a french satiric newpaper, gets heavily targeted

by muslim hacktivists after an edition – representing Muhammad– was published.

� Their office was burned, and …

49 ©NBS System


� Then Dos and Ddos follows …

� Their actual hoster decides to shut down the website, by fear of retaliation

� Migration was planned, but it became much more urgent

50 ©NBS System


� A small hardened infrastructure was setup within 8 hours :

� Two RP NGINX + NAXSI (for redundancy)

� A LAMP server

� And here we go for first « fire experience » of naxsi !

� At the time we migrated the website, we were already aware of some vulnerabilities

that were not possible to patch within such short delay, so all our hope was within

naxsi ☺

51 ©NBS System


� D+1 : Architecture is ready, dns migration ongoing

� As stated earlier, we knew some vulnerabilities were present. Attackers did

know as well (as they already defaced the website twice)

� D+1,5 : DNS migration is over

� A small analysis of Naxsi’s logs on the first week

� Over 32 000 HTTP requests blocked

� Over 200 IP blacklisted

� And the cool thing is that we didn’t get any false positives, and the website

remained safe.

Thanks for the bench !

naxsi, an open source waf for nginx

Technology