80 lines
2.3 KiB
Markdown
80 lines
2.3 KiB
Markdown
# Libinjection integration
|
|
|
|
[libinjection](https://github.com/client9/libinjection) is a 3rd party library (developped by client9) aiming at detecting SQL injections (sqli) and cross-site scripting (xss) by tokenization. This library is integrated within naxsi for two purposes :
|
|
- generic detection of xss/sqli
|
|
- virtual patching
|
|
|
|
### Generic Detection
|
|
|
|
libinjection generic detection *must* be explicitely enabled using specific directives : [LibInjectionXss](directives.md#libinjectionxss) or [LibInjectionSql](directives.md#libinjectionsql). It can as well be enabled at runtime using [runtime modifiers](runtime-modifiers.md) : `naxsi_flag_libinjection_xss` and `naxsi_flag_libinjection_sql`.
|
|
|
|
* Generic libinjection_xss rule has internal id 18 and increases named score `$LIBINJECTION_XSS` of 8 per match.
|
|
|
|
* Generic libinjection_sql rule has internal id 17 and increases named score `$LIBINJECTION_SQL` of 8 per match.
|
|
|
|
|
|
A generic setup to block any request triggering libinjection_xss looks like :
|
|
|
|
```
|
|
location / {
|
|
SecRulesEnabled;
|
|
LibInjectionXss;
|
|
CheckRule "$LIBINJECTION_XSS >= 8" BLOCK;
|
|
...
|
|
}
|
|
```
|
|
|
|
for libinjection_sql :
|
|
```
|
|
location / {
|
|
SecRulesEnabled;
|
|
LibInjectionSql;
|
|
CheckRule "$LIBINJECTION_SQL >= 8" BLOCK;
|
|
...
|
|
}
|
|
```
|
|
|
|
When generic detection is enabled, false positives can be whitelisted using id 17 ([libinjection_xss](internal-rules.md#libinjection_xss)) or 18 ([libinjection_sql](internal-rules.md#libinjection_sql)).
|
|
|
|
|
|
Using runtime modifiers, it might look like :
|
|
|
|
|
|
```
|
|
#/foobar as LOTS of sql injections
|
|
if ($request_uri ~ ^/foobar(.*)$ ) {
|
|
set $naxsi_flag_libinjection_sql 1;
|
|
}
|
|
...
|
|
location / {
|
|
...
|
|
CheckRule "$LIBINJECTION_SQL >= 8" DROP;
|
|
...
|
|
}
|
|
```
|
|
|
|
|
|
### Virtual Patching
|
|
|
|
(>= 0.55rc2)
|
|
|
|
Widely enabling libinjection might not be possible depending on the application context.
|
|
However, libinjection can as well be used for virtual patching :
|
|
|
|
```
|
|
MainRule "d:libinj_xss" "s:DROP" "mz:$ARGS_VAR:ruuu" id:41231;
|
|
```
|
|
|
|
|
|
_Pass the content of GET variable 'ruuu' to libinjection, and drop request if it's detected as xss_
|
|
|
|
```
|
|
MainRule "d:libinj_sql" "s:DROP" "mz:$ARGS_VAR:ruuu" id:41231;
|
|
```
|
|
|
|
_DROP any request triggering libinjection_sql in GET variable 'ruuu'_
|
|
|
|
|
|
Using virtual patching approach, user-created rules can be managed/whitelisted without specificities.
|
|
|