A signature-less (or nearly :p) approach to web application firewalling
Naxsi is a web application firewall for Nginx.
It is somehow different from most WAF, as it does not rely on signatures, but rather on a scoring system, in combination with a learning system.
The goal, during this lightning talk, is to give an overview of naxsi, from both the conception & development aspect (nginx is a fantastic software to work on), and from a usage/feedback perspective.
Naxsi is an open source, high performance, low rules maintenance, Web
Application Firewall module for Nginx, the infamous web server and
reverse-proxy.
Its goal is to help people securing their web applications against attacks like
SQL Injections, Cross Site Scripting, Cross Site Request Forgery, Local &
Remote file inclusions.
The difference with most WAF (Web Application Firewalls) out there is that it
does not rely upon signatures to detect and block attacks. It uses a
simpler model
where, instead of trying to detect "known" attacks, it detects unexpected
characters in the HTTP requests/arguments. Each kind of unusual character will
increase the score of the request. If the request reaches a score
considered "too high", the request will be denied, and the user will be
redirected to a "forbidden" page. Yes, it works somewhat like a spam system.
Why is it different?
Because it works on a learning mode (read white list). Set the module in
learning mode, crawl your site, and it will generate the necessary white lists
to avoid false positives! Naxsi doesn't rely upon pre-defined signatures, so it
should be capable to defeat complex/unknown/obfuscated attack patterns.