New build Nemesida WAF Free for NGINX

Last year we released Nemesida WAF Free - a dynamic module for NGINX that blocks attacks against web applications. Unlike the commercial version based on machine learning work, the free version only analyzes queries using the signature method.

Features release Nemesida WAF 4.0.129

Prior to the current release, the dynamic module Nemesida WAF supported only Nginx Stable 1.12, 1.14 and 1.16. The new release adds support for Nginx Mainline, starting with 1.17, and Nginx Plus, starting with 1.15.10 (R18).

Why do another WAF?

NAXSI and mod_security are probably the most popular free WAF modules, with mod_security being actively promoted by Nginx, although, initially, it was used only in Apache2. Both solutions are free, have open source code and many users around the world. Free and commercial is available for mod_security, for $ 500 per year, signature sets, for NAXSI a free set of out-of-box signatures, you can also find additional sets of rules, such as doxsi.
')
This year we tested the work of NAXSI and Nemesida WAF Free. Briefly about the results:

• NAXSI does not execute double URL decode in cookie
• NAXSI is very long to set up - by default, the default settings of the rules will block most of the calls when working with the web application (authorization, profile or material editing, participation in polls, etc.) and it is necessary to generate exception lists, which has a bad effect on security. Nemesida WAF Free with the default settings in the process of working with the site did not perform a single false response.
• the number of absences of attacks from NAXSI is several times higher, etc.

Despite the disadvantages, NAXSI and mod_security have at least two advantages - open source and a large number of users. We support the idea of ​​disclosing the source code, but we cannot yet do this because of possible problems with the “piracy” of the commercial version, but in order to compensate for this drawback, we fully disclose the contents of the signature set. We value privacy and offer to verify this yourself using a proxy server.

Feature of Nemesida WAF Free:

• high-quality signature database with a minimum of False Positive and False Negative.
• installation and update from the repository (this is quick and convenient);
• simple and understandable events about incidents, not “porridge”, like in NAXSI;
• completely free, has no restrictions on the number of traffic, virtual hosts, etc.

In conclusion, I will cite several requests for evaluating the performance of WAF (it is recommended to use in each of the zones: URL, ARGS, Headers & Body):

')) un","ion se","lect 1,2,3,4,5,6,7,8,9,0,11#"]
')) union/**/select/**/1,/**/2,/**/3,/**/4,/**/5,/**/6,/**/7,/**/8,/**/9,/**/'some_text',/**/11#"]
union(select(1),2,3,4,5,6,7,8,9,0x70656e746573746974,11)#"]
')) union+/*!select*/ (1),(2),(3),(4),(5),(6),(7),(8),(9),(0x70656e746573746974),(11)#"]
')) /*!u%6eion*/ /*!se%6cect*/ (1),(2),(3),(4),(5),(6),(7),(8),(9.),(0x70656e746573746974),(11)#"]
')) %2f**%2funion%2f**%2fselect (1),(2),(3),(4),(5),(6),(7),(8),(9),(0x70656e746573746974),(11)#"]
%5B%221807182982%27%29%29%20uni%22%2C%22on
%20sel%22%2C%22ect%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C%2some_text%27%2C11%23%22%5D
cat /et?/pa?swd
cat /et'c/pa'ss'wd
cat /et*/pa**wd
e'c'ho 'swd test pentest' |awk '{print "cat /etc/pas"$1}' |bas'h
c\a\t \/\e\t\c/\p\a\s\sw\d
cat$u+/etc$u/passwd$u
<svg/onload=alert()//

If requests are not blocked, then WAF will most likely miss a real attack. Before using the examples, make sure that WAF does not block legitimate requests.