Files
EndGame/dependencies/naxsi/docs/old/libinjection-integration.md

80 lines
2.3 KiB
Markdown

# Libinjection integration
[libinjection](https://github.com/client9/libinjection) is a 3rd party library (developped by client9) aiming at detecting SQL injections (sqli) and cross-site scripting (xss) by tokenization. This library is integrated within naxsi for two purposes :
- generic detection of xss/sqli
- virtual patching
### Generic Detection
libinjection generic detection *must* be explicitely enabled using specific directives : [LibInjectionXss](directives.md#libinjectionxss) or [LibInjectionSql](directives.md#libinjectionsql). It can as well be enabled at runtime using [runtime modifiers](runtime-modifiers.md) : `naxsi_flag_libinjection_xss` and `naxsi_flag_libinjection_sql`.
* Generic libinjection_xss rule has internal id 18 and increases named score `$LIBINJECTION_XSS` of 8 per match.
* Generic libinjection_sql rule has internal id 17 and increases named score `$LIBINJECTION_SQL` of 8 per match.
A generic setup to block any request triggering libinjection_xss looks like :
```
location / {
SecRulesEnabled;
LibInjectionXss;
CheckRule "$LIBINJECTION_XSS >= 8" BLOCK;
...
}
```
for libinjection_sql :
```
location / {
SecRulesEnabled;
LibInjectionSql;
CheckRule "$LIBINJECTION_SQL >= 8" BLOCK;
...
}
```
When generic detection is enabled, false positives can be whitelisted using id 17 ([libinjection_xss](internal-rules.md#libinjection_xss)) or 18 ([libinjection_sql](internal-rules.md#libinjection_sql)).
Using runtime modifiers, it might look like :
```
#/foobar as LOTS of sql injections
if ($request_uri ~ ^/foobar(.*)$ ) {
set $naxsi_flag_libinjection_sql 1;
}
...
location / {
...
CheckRule "$LIBINJECTION_SQL >= 8" DROP;
...
}
```
### Virtual Patching
(>= 0.55rc2)
Widely enabling libinjection might not be possible depending on the application context.
However, libinjection can as well be used for virtual patching :
```
MainRule "d:libinj_xss" "s:DROP" "mz:$ARGS_VAR:ruuu" id:41231;
```
_Pass the content of GET variable 'ruuu' to libinjection, and drop request if it's detected as xss_
```
MainRule "d:libinj_sql" "s:DROP" "mz:$ARGS_VAR:ruuu" id:41231;
```
_DROP any request triggering libinjection_sql in GET variable 'ruuu'_
Using virtual patching approach, user-created rules can be managed/whitelisted without specificities.