Pentest Tools

Published on April 1st, 2016 📆 | 4726 Views ⚑


NAXSI — Nginx Web Application Firewall

Technically, it is a third party nginx module, available as a package for many UNIX-like platforms. This module, by default, reads a small subset of simple rules (naxsi_core.rules) containing 99% of known patterns involved in websites vulnerabilities. For example, ‘<‘, ‘|’ or ‘drop’ are not supposed to be part of a URI.

Being very simple, those patterns may match legitimate queries, it is Naxsi’s administrator duty to add specific rules that will whitelist those legitimate behaviours. The administrator can either add whitelists manually by analyzing nginx’s error log, or (recommended) start the project by an intensive auto-learning phase that will automatically generate whitelisting rules regarding website’s behaviour.Nginx Web Application Firewall logo Nginx Web Application Firewall Nginx Web Application Firewall

In short, Naxsi behaves like a DROP-by-default firewall, the only job needed is to add required ACCEPT rules for the target website to work properly.


  • Naxsi (Nginx Anti Xss Sql Injection) is an open source, high performance, low rules maintenance, Web Application Firewall module for Nginx, the infamous web server and reverse-proxy.
  • Its goal is to help people securing their web applications against attacks like SQL Injections, Cross Site Scripting, Cross Site Request Forgery, Local & Remote file inclusions.
  • The difference with most WAF (Web Application Firewalls) out there is that it does not rely upon signatures to detect and block attacks. It uses a simpler model where, instead of trying to detect “known” attacks, it detects unexpected characters in the HTTP requests/arguments.
  • Each kind of unusual character will increase the score of the request. If the request reaches a score considered “too high”, the request will be denied, and the user will be redirected to a “forbidden” page. Yes, it works somewhat like a spam system.


NAXSI means Nginx Anti Xss & Sql Injection

[adsense size='1']

Why it is different?

On the contrary of most Web Application Firewall, Naxsi doesn’t rely on a signature base, like an antivirus, and thus cannot be circumvented by an “unknown” attack pattern. Another main difference between Naxsi and other WAF, Naxsi filters Get & Posts resquests and is OpenSource and free to use for your company or personal own use (ie: as long as you don’t resell a service or product based on Naxsi to customers).


Performance review


You can install nginx+naxsi either from packages (available from official repositories on debian, freebsd, netbsd) or directly from source. As Nginx does not yet support runtime module loading, lot of people will choose compiling from source to avoid package maintainers delay.


Installation from packages

Packages are available for NetBSD, FreeBSD and Debian.


Installation from source

Naxsi should be working with all Nginx versions superior to 0.8.X. To install it from source, we need to fetch both nginx and naxsi sources.

 tar xvzf nginx-x.x.xx.tar.gz 
 tar xvzf naxsi-x.xx.tar.gz
 cd nginx-x.x.xx/


 ./configure --add-module=../naxsi-x.xx/naxsi_src/ [add/remove your favorite/usual options]
 make install


Nginx Web Application Firewall: Initial setup

Let’s take the first step to use : setting up learning mode for your website ! This page assumes you already know how to properly configure nginx without naxsi and make it work. /etc/nginx/nginx.conf :

 user                www-data;
 worker_processes    1;
 worker_rlimit_core  500M;
 working_directory   /tmp/; 
 error_log           /var/log/nginx/error.log;
 pid                 /var/run/; 
 events {
     worker_connections 1024;
     use epoll;
     # multi_accept on;
 http {
     include                        /etc/nginx/naxsi_core.rules;
     include                        /etc/nginx/mime.types;
     server_names_hash_bucket_size  128;
     access_log                     /var/log/nginx/access.log;
     sendfile                       on;
     keepalive_timeout              65;
     tcp_nodelay                    on;
     gzip                           on;
     gzip_disable                   "MSIE [1-6]\.(?!.*SV1)";
     include                        /etc/nginx/sites-enabled/*;

Notice the /etc/nginx/naxsi_core.rules include. This is the only thing you need to add to your existing `http {}` section if you already have a configuration. naxsi_core.rules is provided in the project (naxsi_config/), and contains naxsi rules. As you might notice, these are not signatures, in the classic WAF sense, but simple “score rules”, ie :

 MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;

You can see more about rules syntax at rulessyntax Now, let’s have a look at /etc/nginx/site-enabled/default :

 server {
     proxy_set_header  Proxy-Connection "";
     listen            *:80;
     access_log        /tmp/nginx_access.log;
     error_log         /tmp/nginx_error.log debug;   
     location / {
          include           /etc/nginx/naxsi.rules;
          proxy_pass        https://x.x.x.x/;
          proxy_set_header  Host;
     location /RequestDenied {
         return 418;

The naxsi’s configuration itself is in the file /etc/nginx/naxsi.rules :

 LearningMode; #Enables learning mode
 DeniedUrl "/RequestDenied";
 ## check rules
 CheckRule "$SQL >= 8" BLOCK;
 CheckRule "$RFI >= 8" BLOCK;
 CheckRule "$TRAVERSAL >= 4" BLOCK;
 CheckRule "$EVADE >= 4" BLOCK;
 CheckRule "$XSS >= 8" BLOCK;

With the following setup :

  • Naxsi will be enabled
  • Naxsi will not block any requests (while LearningMode is active)
  • To-be-blocked requests will generate event logs in your location’s error.log file

Exception do look like (let’s request

 2013/05/30 20:09:43 [error] 8404#0:*3 NAXSI_FMT: ip=, client:, server: , request: "GET /?a=< HTTP/1.0", host: ""

Once you get this kind of lines in your error log, you have naxsi running in [LearningMode], congrats !


Nginx Web Application Firewall



Source && Download

Leave a Reply

Your email address will not be published.