Difference between revisions of "OWASP NAXSI Project"

From OWASP
Jump to: navigation, search
Line 38: Line 38:
 
http://code.google.com/p/naxsi/w/list
 
http://code.google.com/p/naxsi/w/list
  
Naxsi 0.41 has been released as the first stable version, you can find naxsi's last versions here :
+
Naxsi 0.43 has just been released, you can find naxsi's last versions here :
 
http://code.google.com/p/naxsi/downloads/list
 
http://code.google.com/p/naxsi/downloads/list
  
=Test Naxsi !=
 
 
We prepared a running testing environment for you, go, play, (try to) bypass naxsi :
 
http://code.google.com/p/naxsi/wiki/OnlyTrustWhatYouCanTest
 
  
  

Revision as of 07:46, 7 February 2012

Naxsi-logo.jpg

Main

[edit]

Naxsi is an open source, high performance, low rules maintenance, Web Application Firewall module for Nginx, the infamous web server and reverse-proxy.

Its goal is to help people securing their web applications against attacks like SQL Injections, Cross Site Scripting, Cross Site Request Forgery, Local & Remote file inclusions.


The difference with most WAF (Web Application Firewalls) out there is that it does not rely upon signatures to detect and block attacks. It uses a simpler model where, instead of trying to detect "known" attacks, it detects unexpected characters in the HTTP requests/arguments.


Each kind of unusual character will increase the score of the request. If the request reaches a score considered "too high", the request will be denied, and the user will be redirected to a "forbidden" page. Yes, it works somewhat like a spam system.


Because it works on a learning mode (read white list). Set the module in learning mode, crawl your site, and it will generate the necessary white lists to avoid false positives! Naxsi doesn't rely upon pre-defined signatures, so it should be capable to defeat complex/unknown/obfuscated attack patterns.

The project is currently hosted on googlecode as well, and you may find more details here : http://naxsi.googlecode.com

Be sure to check the wiki as well ! http://code.google.com/p/naxsi/w/list

Naxsi 0.43 has just been released, you can find naxsi's last versions here : http://code.google.com/p/naxsi/downloads/list


* Howto : See Naxsi in action !
* See Naxsi results on a highly vulnerable web site
* See Naxsi results vs Obfuscated|Complex SQLi patterns
* Try to bypass Naxsi !
* We need you!
* Naxsi is young, there are known bugs 
* LearningMode, key feature !
* Curious about Naxsi ? Check-out callgraphs and other geeky stuff !

Project About

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP NAXSI Project (home page)
Purpose:
  • Naxsi (Nginx Anti Xss Sql Injection) is an open source, high performance, low rules maintenance, Web Application Firewall module for Nginx, the infamous web server and reverse-proxy.
  • Its goal is to help people securing their web applications against attacks like SQL Injections, Cross Site Scripting, Cross Site Request Forgery, Local & Remote file inclusions.
  • The difference with most WAF (Web Application Firewalls) out there is that it does not rely upon signatures to detect and block attacks. It uses a simpler model where, instead of trying to detect "known" attacks, it detects unexpected characters in the HTTP requests/arguments.
  • Each kind of unusual character will increase the score of the request. If the request reaches a score considered "too high", the request will be denied, and the user will be redirected to a "forbidden" page. Yes, it works somewhat like a spam system.
License: GPL 2.0
who is working on this project?
Project Leader(s):
Project Contributor(s):
  • Sebastien Blot
  • Antonin Le Faucheux
  • Didier Conchaudron
  • Sofian Brabez
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Main links:
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Please refer to github for downloads :

https://github.com/nbs-system/naxsi

last reviewed release
Not Yet Reviewed


other releases