[prev in list] [next in list] [prev in thread] [next in thread]
List: nginx
Subject: Re: WordPress pingback mitigation
From: lists () lazygranch ! com
Date: 2017-05-21 9:57:59
Message-ID: 20170521095759.5742678.52155.29009 () lazygranch ! com
[Download RAW message or body]
I suppose I'm stating the obvious, but if you are going to implement blocking \
schemes with either simple map matches or a full blown WAP like Naxsi, you will need \
a test suite. For a very simple website, you can just crawl it with wget and see what \
you broke. But if you have forms, databases, etc. you probably will have to resort to \
Selenium. And that just checks if you broke something, not if you stopped some \
exploit.
There are enough Web testing companies that you can get an occasional demo. I used \
tinfoilsecurity.com and it found one mistake. Besides dotdotpwn, I don't know of any \
free exploit testers. Maybe the list can suggest a few.
Original Message
From: mex
Sent: Sunday, May 21, 2017 2:25 AM
To: nginx@nginx.org
Reply To: nginx@nginx.org
Subject: Re: WordPress pingback mitigation
pbooth Wrote:
-------------------------------------------------------
> Wow- I really like the sound of naxsi. In the past I've used F5's ASM,
> the WAF built on their big-ip platform. It was powerful though prone
> to false positives. I don't believe there are any real shortcuts that
> allow you to build an effective waf without understanding the details
> of your own website. These simply aren't build, deploy and forget
> devices. It sounds a if the creator of naxsi understands this.
>
hi,
naxsi-ssupporter and doxi-rules-maintainer here.
FPs are an issue for any blocking-mechanism.
what many people dont know: naxsi has an integrated whitelist-generator,
allowing you to tune your WAF against your own application. for people with
staging/deployment - envoriments you can run anxsi there in learning-mode,
generating all whitelists needed on-the-fly and deploying them during your
regular deployments.
maybe overdosed for smaller setups, but fitting perfectly into
bigger setups.
and yes, naxsi needs more documentation an beginner-based manuals.
maybe thios helps to understand the rules (and needs an update as well:)
https://zero.bs/naxis-rules-manual.html
regards,
mex
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,274339,274358#msg-274358
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic