Ngonyaka odlule sikhiphe i-Nemesida WAF Free, imojuli eguquguqukayo ye-NGINX evimba ukuhlaselwa kwezinhlelo zokusebenza zewebhu. Ngokungafani nenguqulo yezohwebo, esekelwe ekufundeni komshini, inguqulo yamahhala ihlaziya izicelo kusetshenziswa indlela yesiginesha kuphela.
Izici zokukhishwa kwe-Nemesida WAF 4.0.129
Ngaphambi kokukhishwa kwamanje, imojuli eguquguqukayo ye-Nemesida WAF isekela i-Nginx Stable 1.12, 1.14 kanye no-1.16 kuphela. Ukukhishwa okusha kunezela ukwesekwa kwe-Nginx Mainline, eqala ku-1.17, ne-Nginx Plus, eqala ku-1.15.10 (R18).
Kungani wenze enye i-WAF?
I-NAXSI kanye ne-mod_security cishe amamojula wamahhala we-WAF aziwa kakhulu, futhi i-mod_security ikhuthazwa ngenkuthalo yi-Nginx, nakuba ekuqaleni yayisetshenziswa kuphela ku-Apache2. Zombili izixazululo zimahhala, umthombo ovulekile futhi zinabasebenzisi abaningi emhlabeni jikelele. Ukuze uthole i-mod_security, amasethi wesiginesha yamahhala neyezentengiselwano atholakala ku-$ 500 ngonyaka, ku-NAXSI kukhona isethi yamahhala yesiginesha ngaphandle kwebhokisi, futhi ungathola amasethi engeziwe emithetho, njenge-doxsi.
Kulo nyaka sihlole ukusebenza kwe-NAXSI ne-Nemesida WAF Mahhala. Kafushane mayelana nemiphumela:
- I-NAXSI ayiwakhiphi ama-URL aphindwe kabili kumakhukhi
- I-NAXSI ithatha isikhathi eside kakhulu ukulungisa - ngokuzenzakalelayo, izilungiselelo zomthetho ezizenzakalelayo zizovimba izicelo eziningi lapho usebenza nohlelo lokusebenza lwewebhu (ukugunyazwa, ukuhlela iphrofayili noma impahla, ukubamba iqhaza kuzinhlolovo, njll.) futhi kuyadingeka ukukhiqiza izinhlu ezihlukile. , okunomthelela omubi ekuvikelekeni. I-Nemesida WAF Free enezilungiselelo ezizenzakalelayo ayizange yenze ngisho nokukodwa okungamanga ngenkathi isebenza nesayithi.
- inani lokuhlaselwa okuphuthelwe kwe-NAXSI liphakeme izikhathi eziningi, njll.
Naphezu kokushiyeka, i-NAXSI ne-mod_security inezinzuzo okungenani ezimbili - umthombo ovulekile kanye nenani elikhulu labasebenzisi. Siyawusekela umbono wokudalula ikhodi yomthombo, kodwa asikwazi ukwenza lokhu okwamanje ngenxa yezinkinga ezingaba khona "ngobugebengu bobugebengu" benguqulo yezentengiso, kodwa ukuze sinxephezele lokhu kushiyeka, sidalula ngokugcwele okuqukethwe kwesethi yesiginesha. Siyakwazisa ubumfihlo futhi siphakamisa ukuthi uqinisekise lokhu ngokwakho usebenzisa iseva elibamba.
Izici ze-Nemesida WAF Free:
- Idatha egciniwe yesiginesha yekhwalithi ephezulu enenani elincane lokuthi Okuhle Kwamanga kanye Nokubi Kwamanga.
- ukufakwa nokuvuselela okuvela endaweni yokugcina (kuyashesha futhi kulula);
- izenzakalo ezilula neziqondakalayo mayelana nezigameko, hhayi "isiphithiphithi" njenge-NAXSI;
- mahhala ngokuphelele, ayinayo imikhawulo enanini lethrafikhi, ababungazi ababonakalayo, njll.
Sengiphetha, ngizonikeza imibuzo embalwa ukuhlola ukusebenza kwe-WAF (kuyanconywa ukuthi uyisebenzise endaweni ngayinye: URL, ARGS, Headers & Body):
')) un","ion se","lect 1,2,3,4,5,6,7,8,9,0,11#"]
')) union/**/select/**/1,/**/2,/**/3,/**/4,/**/5,/**/6,/**/7,/**/8,/**/9,/**/'some_text',/**/11#"]
union(select(1),2,3,4,5,6,7,8,9,0x70656e746573746974,11)#"]
')) union+/*!select*/ (1),(2),(3),(4),(5),(6),(7),(8),(9),(0x70656e746573746974),(11)#"]
')) /*!u%6eion*/ /*!se%6cect*/ (1),(2),(3),(4),(5),(6),(7),(8),(9.),(0x70656e746573746974),(11)#"]
')) %2f**%2funion%2f**%2fselect (1),(2),(3),(4),(5),(6),(7),(8),(9),(0x70656e746573746974),(11)#"]
%5B%221807182982%27%29%29%20uni%22%2C%22on
%20sel%22%2C%22ect%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C%2some_text%27%2C11%23%22%5D
cat /et?/pa?swd
cat /et'c/pa'ss'wd
cat /et*/pa**wd
e'c'ho 'swd test pentest' |awk '{print "cat /etc/pas"$1}' |bas'h
cat /etc/passwd
cat$u+/etc$u/passwd$u
<svg/onload=alert()//
Uma izicelo zingavinjiwe, kungenzeka ukuthi i-WAF izophuthelwa ukuhlasela kwangempela. Ngaphambi kokusebenzisa izibonelo, qiniseka ukuthi i-WAF ayivimbi izicelo ezisemthethweni.
Source: www.habr.com