Skip to content
This repository was archived by the owner on Nov 8, 2023. It is now read-only.

internal rules

Jump to bottom
bui edited this page Dec 6, 2018 · 4 revisions

Internal rules

Internal rules are rules that can be fired by naxsi, when request is incorrect or extremely unusual - or naxsi is not able to parse the request (ie. unknown content-type). Please note that those rules do not set an internal score, but usually just set the block flag of the request to 1.

You can whitelist those, but you should never have to do so. When whitelisting an internal rule, you might be disabling naxsi at least partially, so think twice about it.

weird_request

  • id: 1
  • action: block
  • impact: pass-thru

A request that cannot be understood by naxsi. When whitelisting this one, you are telling naxsi to blindly accept the request and not to parse it.

big_request

  • id: 2
  • action: block
  • impact : pass-thru

A request that is buffered on file system because it's too big. Naxsi doesn't parse buffered requests. You can always increase client_body_buffer_size in nginx's config.

uncommon_hex_encoding

  • id: 10
  • action: block
  • impact : partial loss of decoding

Hex encoding that is not valid, and that naxsi cannot "url decode".

uncommon_content_type

  • id: 11
  • action: block
  • impact : pass-thru on BODY

A content-type unknown to naxsi. Meaning naxsi cannot parse the body. However, if id:11 is whitelisted and >= 0.55rc2, RAW_BODY rules can be used.

uncommon_url

  • id: 12
  • action: block
  • impact: partial pass-thru on GET args

An URL that is not standard (ie. ?x=foo&z=bar). Can lead to uncorrectly parsed arguments when whitelisted.

uncommon_post_format

  • id: 13
  • action: block
  • impact: pass-thru on BODY

POST body is malformed, ie.

  • bad content-disposition
  • no variable name
  • malformed attached file content-type

uncommon_post_boundary

  • id: 14
  • action: block
  • impact: pass-thru on BODY

POST body is malformed, ie.

  • bad content-type
  • bad boundary (too short, too long, not rfc compliant)

invalid_json

  • id: 15
  • action: block
  • impact: pass-thru on BODY (json)

JSON is malformed (ie. missing } ]).

empty_body

  • id: 16
  • action: block
  • impact: pass-thru on BODY

Raised when body is empty and/or content-length is zero.

libinjection_sql

  • id: 17
  • action: ??

See libinjection.

libinjection_xss

  • id: 18
  • action: ??

See libinjection.

no_rules

  • id: 19
  • action: drop
  • impact: no rules checked

Raised when naxsi isn't configured with any MainRules.

bad_utf8

  • id: 20
  • action: drop

Raised when surrogate utf8 is detected.

Clone this wiki locally