Convert Figma logo to code with AI

nbs-system logonaxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX

4,780
604
4,780
0
View on GitHub

Top Related Projects

owasp-modsecurity's avatar

ModSecurity

8,029

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

coreruleset's avatar

coreruleset

2,182

OWASP CRS (Official Repository)

p0pr0ck5's avatar

lua-resty-waf

1,273

High-performance WAF built on the OpenResty stack

Quick Overview

NAXSI (Nginx Anti XSS & SQL Injection) is an open-source, high-performance, and low rules maintenance WAF (Web Application Firewall) for NGINX. It aims to protect web applications against SQL injections, Cross-Site Scripting (XSS), and other common web attacks using a simple and efficient approach based on whitelisting and libinjection.

Pros

  • Easy to set up and configure with minimal performance impact
  • Highly effective against common web attacks, including SQL injection and XSS
  • Actively maintained and supported by a community of developers
  • Compatible with various NGINX setups and configurations

Cons

  • Can potentially generate false positives, requiring fine-tuning
  • Limited documentation compared to some commercial WAF solutions
  • Requires manual configuration and rule management for optimal protection
  • May require additional setup for complex applications or non-standard use cases

Getting Started

To get started with NAXSI:

  1. Install NAXSI as a dynamic module for NGINX:
wget https://github.com/nbs-system/naxsi/archive/master.zip
unzip master.zip
cd naxsi-master
./configure --add-dynamic-module=naxsi_src/
make modules
cp objs/ngx_http_naxsi_module.so /etc/nginx/modules/
  1. Add the following lines to your NGINX configuration:
load_module modules/ngx_http_naxsi_module.so;

http {
    include /etc/nginx/naxsi_core.rules;
    
    server {
        listen 80;
        server_name example.com;
        
        location / {
            SecRulesEnabled;
            DeniedUrl "/RequestDenied";
            CheckRule "$SQL >= 8" BLOCK;
            CheckRule "$RFI >= 8" BLOCK;
            CheckRule "$TRAVERSAL >= 4" BLOCK;
            CheckRule "$EVADE >= 4" BLOCK;
            CheckRule "$XSS >= 8" BLOCK;
            
            root /var/www/html;
            index index.html;
        }
        
        location /RequestDenied {
            return 403;
        }
    }
}
  1. Restart NGINX to apply the changes:
sudo systemctl restart nginx

This basic configuration enables NAXSI with default rules. For production use, you should customize the rules and whitelist legitimate requests to minimize false positives.

Competitor Comparisons

owasp-modsecurity logo

ModSecurity

8,029

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

Pros of ModSecurity

  • More comprehensive and feature-rich WAF solution
  • Supports multiple web servers (Apache, Nginx, IIS)
  • Larger community and more extensive rule sets available

Cons of ModSecurity

  • More complex configuration and setup process
  • Higher resource consumption
  • Steeper learning curve for beginners

Code Comparison

ModSecurity rule example:

SecRule REQUEST_HEADERS:User-Agent "nikto" \
    "id:1000,\
    phase:1,\
    deny,\
    log,\
    msg:'Nikto Scan Detected'"

Naxsi rule example:

MainRule "str:nikto" "msg:Nikto Scan Detected" "mz:$HEADERS_VAR:User-Agent" "s:$UWA:8" id:1000;

Both examples show rules to detect and block Nikto scans based on the User-Agent header. ModSecurity's rule is more verbose and offers more configuration options, while Naxsi's rule is more concise and easier to read at a glance.

ModSecurity provides a more powerful and flexible WAF solution with broader server support, but it comes at the cost of increased complexity and resource usage. Naxsi, on the other hand, offers a simpler, lightweight alternative that's easier to set up and manage, particularly for Nginx users, but with fewer features and a smaller community compared to ModSecurity.

coreruleset logo

coreruleset

2,182

OWASP CRS (Official Repository)

Pros of coreruleset

  • More comprehensive and regularly updated rule set
  • Broader community support and contributions
  • Better documentation and integration guides

Cons of coreruleset

  • Higher complexity and potential for false positives
  • Requires more fine-tuning and customization
  • Steeper learning curve for implementation

Code Comparison

NAXSI rule example:

MainRule "str:select" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;

CoreRuleSet rule example:

SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i:select.+?(?:from|into))" \
    "id:942100,\
    phase:2,\
    block,\
    capture,\
    t:none,t:urlDecodeUni,\
    msg:'SQL Injection Attack Detected via libinjection',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-sqli',\
    tag:'OWASP_CRS',\
    tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',\
    tag:'WASCTC/WASC-19',\
    tag:'OWASP_TOP_10/A1',\
    tag:'OWASP_AppSensor/CIE1',\
    tag:'PCI/6.5.2',\
    ver:'OWASP_CRS/3.2.0',\
    severity:'CRITICAL',\
    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',\
    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
p0pr0ck5 logo

lua-resty-waf

1,273

High-performance WAF built on the OpenResty stack

Pros of lua-resty-waf

  • Written in Lua, offering better performance and flexibility
  • Integrates seamlessly with OpenResty and NGINX
  • Provides more granular control over rule sets and configurations

Cons of lua-resty-waf

  • Requires OpenResty, which may not be suitable for all environments
  • Less mature and potentially less battle-tested than Naxsi
  • Smaller community and fewer pre-built rule sets available

Code Comparison

lua-resty-waf:

local waf = require "resty.waf"
local waf_instance = waf:new()
waf_instance:exec()

Naxsi:

location / {
    SecRulesEnabled;
    DeniedUrl "/RequestDenied";
    CheckRule "$SQL >= 8" BLOCK;
}

The lua-resty-waf example shows how to initialize and execute the WAF in Lua, while the Naxsi example demonstrates configuration directly in the NGINX configuration file. lua-resty-waf offers more programmatic control, whereas Naxsi provides a simpler, declarative approach.

Both projects aim to provide web application firewall functionality, but they differ in implementation and integration methods. lua-resty-waf is more flexible and performant but requires OpenResty, while Naxsi is more straightforward to set up but may be less customizable.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

naxsi

Project Status

This is a project status update regarding Naxsi.

As you may have noticed, the development of Naxsi has been stopped and the repository will be archived for historical reasons. This means that no new updates or bug fixes will be released for this version.

However, if you wish to update to newer versions of Naxsi, we recommend that you use the new repository at https://github.com/wargio/naxsi. This repository has been actively maintained and updated with new features and bug fixes.

We understand that this news may be disappointing for some of our users who have been relying on Naxsi for their web application security needs. We want to assure you that we are committed to providing the best possible solutions for your security needs and encourage you to explore our security products.

Thank you for your understanding and continued support.

What is Naxsi?

NAXSI means Nginx Anti XSS & SQL Injection.

Technically, it is a third party nginx module, available as a package for many UNIX-like platforms. This module, by default, reads a small subset of simple (and readable) rules containing 99% of known patterns involved in website vulnerabilities. For example, <, | or drop are not supposed to be part of a URI.

Being very simple, those patterns may match legitimate queries, it is the Naxsi's administrator duty to add specific rules that will whitelist legitimate behaviours. The administrator can either add whitelists manually by analyzing nginx's error log, or (recommended) start the project with an intensive auto-learning phase that will automatically generate whitelisting rules regarding a website's behaviour.

In short, Naxsi behaves like a DROP-by-default firewall, the only task is to add required ACCEPT rules for the target website to work properly.

Why is it different?

Contrary to most Web Application Firewalls, Naxsi doesn't rely on a signature base like an antivirus, and thus cannot be circumvented by an "unknown" attack pattern. Naxsi is Free software (as in freedom) and free (as in free beer) to use.

What does it run on?

Naxsi should be compatible with any nginx version.

It depends on libpcre for its regexp support, and is reported to work great on NetBSD, FreeBSD, OpenBSD, Debian, Ubuntu and CentOS.