Difference between revisions of "OWASP NAXSI Project"

From OWASP
Jump to: navigation, search
Line 43: Line 43:
 
  * [http://code.google.com/p/naxsi/wiki/LearningMode LearningMode, key feature !]
 
  * [http://code.google.com/p/naxsi/wiki/LearningMode LearningMode, key feature !]
 
  * [http://code.google.com/p/naxsi/wiki/NaxsiInternals Curious about Naxsi ? Check-out callgraphs and other geeky stuff !]
 
  * [http://code.google.com/p/naxsi/wiki/NaxsiInternals Curious about Naxsi ? Check-out callgraphs and other geeky stuff !]
 
 
==== Project About  ====
 
 
{{:Projects/OWASP NAXSI Project | Project About}}
 
 
  
 
__NOTOC__ <headertabs />  
 
__NOTOC__ <headertabs />  
  
 
[[Category:OWASP_Project|NAXSI Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Download]] [[Category:OWASP_Alpha_Quality_Tool]]
 
[[Category:OWASP_Project|NAXSI Project]] [[Category:OWASP_Tool]] [[Category:OWASP_Download]] [[Category:OWASP_Alpha_Quality_Tool]]

Revision as of 06:31, 7 September 2011

[edit]

Naxsi is an open source, high performance, low rules maintenance, Web Application Firewall module for Nginx, the infamous web server and reverse-proxy.

Its goal is to help people securing their web applications against attacks like SQL Injections, Cross Site Scripting, Cross Site Request Forgery, Local & Remote file inclusions.


The difference with most WAF (Web Application Firewalls) out there is that it does not rely upon signatures to detect and block attacks. It uses a simpler model where, instead of trying to detect "known" attacks, it detects unexpected characters in the HTTP requests/arguments.


Each kind of unusual character will increase the score of the request. If the request reaches a score considered "too high", the request will be denied, and the user will be redirected to a "forbidden" page. Yes, it works somewhat like a spam system.


Because it works on a learning mode (read white list). Set the module in learning mode, crawl your site, and it will generate the necessary white lists to avoid false positives! Naxsi doesn't rely upon pre-defined signatures, so it should be capable to defeat complex/unknown/obfuscated attack patterns.

We prepared a running testing environment for you, go, play, (try to) bypass naxsi : http://code.google.com/p/naxsi/wiki/OnlyTrustWhatYouCanTest