BsidesHH - Nginx as leichtgewichtige WebApplicationFirewall


Am 28.12. wird Markus Manzke einen Talk zum Thema Nginx as leichtgewichtige WebApplicationFirewall halten und die Features von Naxsi, LuaWAF und Spike vorstellen.

Aus dem Intro:

"Nginx is a fast and lightweight Webserver and Reverse-Proxy, and Nr 1 among Alexa's Top 10k - Websites.

Extendable through 3rd-Party-Modules Nginx can be used as a fast WebApplicationFirewall: Naxsi is a module that extends Nginx with classical WAF-Features, namely Rules to detect malicious behavior and classical attacks like SQLInjections, XSS, Path Traversal and Remote File Inclusion. Another approach is LuWAF, a Lua based WAF that connects the power of Nginx with the possibility to use scripting and logic. LuWAF (to be released as Open Source during BsidesHH) allows to use IPReputation, detects non-browsers and is able to prevent Layer-7-DDoS - attacks. Combined with a set of Honeypots, LuWAF might even block access from malicious IPs.

The Talk gives a short Intro into Naxsi and LuWAF, explains where and against which attacks and exploits it might help (and where and why not). I'll explain how modern WAFs could help, via Hotpatching, against Exploits like ShellShock. On a sidenote i'll show how to use Spike!, a Naxsi-Rules-Builder, and how it helps to keep WAF-Installations up-to-date with current rules. "

Zusätzlich wird es einen Hacking Naxsi Workshop geben, der das Ziel hat, Naxsi-Schwachstellen zu identifzieren und zu beseitigen.


You code … we platform.