‎I suppose I'm stating the obvious, but if you are going to implement blocking 
schemes with either simple map matches or a full blown WAP like Naxsi, you will 
need a test suite. For a very simple website, you can just crawl it with wget 
and see what you broke. But if you have forms, databases, etc. you probably 
will have to resort to Selenium. And that just checks if you broke something, 
not if you stopped some exploit. 

There are enough Web testing companies that you can get an occasional demo. I 
used tinfoilsecurity.com and it found one mistake. Besides dotdotpwn, I don't 
know of any free exploit testers. Maybe the list can suggest a few.


  Original Message  
From: mex
Sent: Sunday, May 21, 2017 2:25 AM
To: nginx@nginx.org
Reply To: nginx@nginx.org
Subject: Re: WordPress pingback mitigation

pbooth Wrote:
-------------------------------------------------------
> Wow- I really like the sound of naxsi. In the past I've used F5's ASM,
> the WAF built on their big-ip platform. It was powerful though prone
> to false positives. I don't believe there are any real shortcuts that
> allow you to build an effective waf without understanding the details
> of your own website. These simply aren't build, deploy and forget
> devices. It sounds a if the creator of naxsi understands this.
> 


hi, 

naxsi-ssupporter and doxi-rules-maintainer here.

FPs are an issue for any blocking-mechanism. 
what many people dont know: naxsi has an integrated whitelist-generator, 
allowing you to tune your WAF against your own application. for people with
staging/deployment - envoriments you can run anxsi there in learning-mode,
generating all whitelists needed on-the-fly and deploying them during your
regular deployments. 

maybe overdosed for smaller setups, but fitting perfectly into 
bigger setups. 


and yes, naxsi needs more documentation an beginner-based manuals.
maybe thios helps to understand the rules (and needs an update as well:)
https://zero.bs/naxis-rules-manual.html


regards, 


mex

Posted at Nginx Forum: 
https://forum.nginx.org/read.php?2,274339,274358#msg-274358

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply via email to