1use lib 'lib'; 2use Test::Nginx::Socket; 3 4plan tests => repeat_each(2) * blocks(); 5no_root_location(); 6no_long_string(); 7$ENV{TEST_NGINX_SERVROOT} = server_root(); 8run_tests(); 9__DATA__ 10=== ID TEST 1.0: Drop rule without learning 11--- main_config 12load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 13--- http_config 14include /tmp/naxsi_ut/naxsi_core.rules; 15MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:DROP" id:1999; 16--- config 17location / { 18 SecRulesEnabled; 19 DeniedUrl "/RequestDenied"; 20 CheckRule "$SQL >= 8" BLOCK; 21 CheckRule "$RFI >= 8" BLOCK; 22 CheckRule "$TRAVERSAL >= 4" BLOCK; 23 CheckRule "$XSS >= 8" BLOCK; 24 root $TEST_NGINX_SERVROOT/html/; 25 index index.html index.htm; 26} 27location /RequestDenied { 28 return 412; 29} 30--- request 31GET /?bla=1999 32--- error_code: 412 33 34=== ID TEST 1.1: whitelisted drop rule without learning 35--- main_config 36load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 37--- http_config 38include /tmp/naxsi_ut/naxsi_core.rules; 39MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:DROP" id:1999; 40--- config 41location / { 42 SecRulesEnabled; 43 DeniedUrl "/RequestDenied"; 44 CheckRule "$SQL >= 8" BLOCK; 45 CheckRule "$RFI >= 8" BLOCK; 46 CheckRule "$TRAVERSAL >= 4" BLOCK; 47 CheckRule "$XSS >= 8" BLOCK; 48 root $TEST_NGINX_SERVROOT/html/; 49 BasicRule wl:1999 "mz:ARGS"; 50 index index.html index.htm; 51} 52location /RequestDenied { 53 return 412; 54} 55--- request 56GET /?bla=1999 57--- error_code: 200 58 59=== ID TEST 1.2: bad whitelisted drop rule without learning 60--- main_config 61load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 62--- http_config 63include /tmp/naxsi_ut/naxsi_core.rules; 64MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:DROP" id:1999; 65--- config 66location / { 67 SecRulesEnabled; 68 DeniedUrl "/RequestDenied"; 69 CheckRule "$SQL >= 8" BLOCK; 70 CheckRule "$RFI >= 8" BLOCK; 71 CheckRule "$TRAVERSAL >= 4" BLOCK; 72 CheckRule "$XSS >= 8" BLOCK; 73 root $TEST_NGINX_SERVROOT/html/; 74 BasicRule wl:1999 "mz:URL"; 75 index index.html index.htm; 76} 77location /RequestDenied { 78 return 412; 79} 80--- request 81GET /?bla=1999 82--- error_code: 412 83 84=== ID TEST 1.3: drop rule with learning 85--- main_config 86load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 87--- http_config 88include /tmp/naxsi_ut/naxsi_core.rules; 89MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:DROP" id:1999; 90--- config 91location / { 92 SecRulesEnabled; 93 LearningMode; 94 DeniedUrl "/RequestDenied"; 95 CheckRule "$SQL >= 8" BLOCK; 96 CheckRule "$RFI >= 8" BLOCK; 97 CheckRule "$TRAVERSAL >= 4" BLOCK; 98 CheckRule "$XSS >= 8" BLOCK; 99 root $TEST_NGINX_SERVROOT/html/; 100 index index.html index.htm; 101} 102location /RequestDenied { 103 return 412; 104} 105--- request 106GET /?bla=1999 107--- error_code: 412 108 109 110 111=== ID TEST 1.4: drop rule with learning + correct whitelist 112--- main_config 113load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 114--- http_config 115include /tmp/naxsi_ut/naxsi_core.rules; 116MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:DROP" id:1999; 117--- config 118location / { 119 SecRulesEnabled; 120 LearningMode; 121 DeniedUrl "/RequestDenied"; 122 CheckRule "$SQL >= 8" BLOCK; 123 CheckRule "$RFI >= 8" BLOCK; 124 CheckRule "$TRAVERSAL >= 4" BLOCK; 125 CheckRule "$XSS >= 8" BLOCK; 126 BasicRule wl:1999 "mz:$ARGS_VAR:bla"; 127 root $TEST_NGINX_SERVROOT/html/; 128 index index.html index.htm; 129} 130location /RequestDenied { 131 return 412; 132} 133--- request 134GET /?bla=1999 135--- error_code: 200 136 137 138=== ID TEST 1.5: drop rule with learning + incorrect whitelist 139--- main_config 140load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 141--- http_config 142include /tmp/naxsi_ut/naxsi_core.rules; 143MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:DROP" id:1999; 144--- config 145location / { 146 SecRulesEnabled; 147 LearningMode; 148 DeniedUrl "/RequestDenied"; 149 CheckRule "$SQL >= 8" BLOCK; 150 CheckRule "$RFI >= 8" BLOCK; 151 CheckRule "$TRAVERSAL >= 4" BLOCK; 152 CheckRule "$XSS >= 8" BLOCK; 153 BasicRule wl:1999 "mz:$ARGS_VAR:bla|$URL:/x"; 154 root $TEST_NGINX_SERVROOT/html/; 155 index index.html index.htm; 156} 157location /RequestDenied { 158 return 412; 159} 160--- request 161GET /?bla=1999 162--- error_code: 412 163 164 165 166=== ID TEST 2.0: drop checkrule 167--- main_config 168load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 169--- http_config 170include /tmp/naxsi_ut/naxsi_core.rules; 171MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:8" id:1999; 172--- config 173location / { 174 SecRulesEnabled; 175 LearningMode; 176 DeniedUrl "/RequestDenied"; 177 CheckRule "$FOO >= 8" DROP; 178 root $TEST_NGINX_SERVROOT/html/; 179 index index.html index.htm; 180} 181location /RequestDenied { 182 return 412; 183} 184--- request 185GET /?bla=1999 186--- error_code: 412 187 188=== ID TEST 2.1: drop checkrule, with whitelisted rule 189--- main_config 190load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 191--- http_config 192include /tmp/naxsi_ut/naxsi_core.rules; 193MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:8" id:1999; 194--- config 195location / { 196 SecRulesEnabled; 197 LearningMode; 198 DeniedUrl "/RequestDenied"; 199 CheckRule "$FOO >= 8" DROP; 200 BasicRule wl:1999 "mz:$URL:/|$ARGS_VAR_X:^bla$"; 201 root $TEST_NGINX_SERVROOT/html/; 202 index index.html index.htm; 203} 204location /RequestDenied { 205 return 412; 206} 207--- request 208GET /?bla=1999 209--- error_code: 200 210=== ID TEST 2.2: drop checkrule, with failed whitelisted rule 211--- main_config 212load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 213--- http_config 214include /tmp/naxsi_ut/naxsi_core.rules; 215MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:8" id:1999; 216--- config 217location / { 218 SecRulesEnabled; 219 LearningMode; 220 DeniedUrl "/RequestDenied"; 221 CheckRule "$FOO >= 8" DROP; 222 BasicRule wl:1999 "mz:$URL:/|$ARGS_VAR_X:^bla1"; 223 root $TEST_NGINX_SERVROOT/html/; 224 index index.html index.htm; 225} 226location /RequestDenied { 227 return 412; 228} 229--- request 230GET /?bla=1999 231--- error_code: 412 232 233 234 235=== ID TEST 3.0: <= checkrule (why not dude) 236--- main_config 237load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 238--- http_config 239include /tmp/naxsi_ut/naxsi_core.rules; 240MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:8" id:1999; 241--- config 242location / { 243 SecRulesEnabled; 244 DeniedUrl "/RequestDenied"; 245 CheckRule "$FOO <= 8" BLOCK; 246 root $TEST_NGINX_SERVROOT/html/; 247 index index.html index.htm; 248} 249location /RequestDenied { 250 return 412; 251} 252--- request 253GET /?bla=1999 254--- error_code: 412 255=== ID TEST 3.1: <= checkrule : Is useless, as score will go through value 8 before reaching 16, thus the checkrule will be applied 256--- main_config 257load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 258--- http_config 259include /tmp/naxsi_ut/naxsi_core.rules; 260MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:8" id:1999; 261--- config 262location / { 263 SecRulesEnabled; 264 DeniedUrl "/RequestDenied"; 265 CheckRule "$FOO <= 8" BLOCK; 266 root $TEST_NGINX_SERVROOT/html/; 267 index index.html index.htm; 268} 269location /RequestDenied { 270 return 412; 271} 272--- request 273GET /?bla=1999&blu=1999 274--- error_code: 412 275=== ID TEST 3.2: < checkrule (why not dude) 276--- main_config 277load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 278--- http_config 279include /tmp/naxsi_ut/naxsi_core.rules; 280MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:8" id:1999; 281--- config 282location / { 283 SecRulesEnabled; 284 DeniedUrl "/RequestDenied"; 285 CheckRule "$FOO < 8" BLOCK; 286 root $TEST_NGINX_SERVROOT/html/; 287 index index.html index.htm; 288} 289location /RequestDenied { 290 return 412; 291} 292--- request 293GET /?bla=1999 294--- error_code: 200 295=== ID TEST 3.3: < checkrule (why not dude) 296--- main_config 297load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 298--- http_config 299include /tmp/naxsi_ut/naxsi_core.rules; 300MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:7" id:1999; 301--- config 302location / { 303 SecRulesEnabled; 304 DeniedUrl "/RequestDenied"; 305 CheckRule "$FOO < 8" BLOCK; 306 root $TEST_NGINX_SERVROOT/html/; 307 index index.html index.htm; 308} 309location /RequestDenied { 310 return 412; 311} 312--- request 313GET /?bla=1999 314--- error_code: 412 315=== ID TEST 3.4: > checkrule (why not dude) 316--- main_config 317load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 318--- http_config 319include /tmp/naxsi_ut/naxsi_core.rules; 320MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:8" id:1999; 321--- config 322location / { 323 SecRulesEnabled; 324 DeniedUrl "/RequestDenied"; 325 CheckRule "$FOO > 8" BLOCK; 326 root $TEST_NGINX_SERVROOT/html/; 327 index index.html index.htm; 328} 329location /RequestDenied { 330 return 412; 331} 332--- request 333GET /?bla=1999 334--- error_code: 200 335 336=== ID TEST 3.5: > checkrule (why not dude) 337--- main_config 338load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 339--- http_config 340include /tmp/naxsi_ut/naxsi_core.rules; 341MainRule "str:1999" "msg:foobar test pattern #1" "mz:ARGS" "s:$FOO:9" id:1999; 342--- config 343location / { 344 SecRulesEnabled; 345 DeniedUrl "/RequestDenied"; 346 CheckRule "$FOO > 8" BLOCK; 347 root $TEST_NGINX_SERVROOT/html/; 348 index index.html index.htm; 349} 350location /RequestDenied { 351 return 412; 352} 353--- request 354GET /?bla=1999 355--- error_code: 412 356 357 358=== ID TEST 4.0: super long exception (trigger 400 bad request on old versions) 359--- main_config 360load_module /tmp/naxsi_ut/modules/ngx_http_naxsi_module.so; 361--- http_config 362include /tmp/naxsi_ut/naxsi_core.rules; 363--- config 364location / { 365 SecRulesEnabled; 366 LearningMode; 367 DeniedUrl "/RequestDenied"; 368 CheckRule "$FOO > 8" BLOCK; 369 root $TEST_NGINX_SERVROOT/html/; 370 index index.html index.htm; 371 error_page 405 = $uri; 372} 373location /RequestDenied { 374 return 412; 375} 376--- request eval 377use URI::Escape; 378"POST / 379a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2=<>(){}[]'--;=a&a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1=<>(){}[]'--;=a&a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3=<>(){}[]'--;=a&a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4a4=<>(){}[]'&a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5=<>(){}[]'" 380--- error_code: 200 381 382