Web application firewall circumvention vulnerabilities discovered and addressed

UPDATED Security researchers at Synacktiv uncovered a series of vulnerabilities in the Naxsi web application firewall (WAF) after carrying out a source code review of the open source technology.

NBS System, the vendor behind Naxsi, has patched the various filtering flaws uncovered by the French security consultancy, allowing Synacktiv to disclose its main findings in a technical blog post.

Users are advised to update their installations to version 1.1a of the WAF technology.

The issues identified by the Synacktiv team were around the parsing of HTTP requests by the security tool, Synacktiv told The Daily Swig.

“Subtle parsing errors would fool the WAF to skip the analysis of part of the request,” Synacktiv’s chief exec Renaud Feil said.

“Malicious requests could for example include a null-byte or incorrect boundaries, thus evading the protection of the WAF and allowing an attacker to inject its malicious payload on the web application.”

Naxsi is a free and open source web application firewall for Nginx web server. The WAF offers protection against cross site scripting (XSS) and SQL Injection attacks, among other web security threats.

The source code review of the open source WAF offers learning points for other developers.

Synacktiv’s Feil explained: “The lessons from this source code review are case studies for people involved in the parsing of HTTP requests, mostly WAF developers, but also web server developers or any systems that need to parse the raw content of an HTTP request properly.”

Code review

NBS System, the company publishing Naxsi, chose a few years ago to release Naxsi as a free open source software.

Regis Saint-Paul, head of security and expertise at NBS System explained that although it reviews it own code internally it "believe there is no better way to find small bugs than to show this code to as many people as possible".

"Over the years, we’ve been happy to incorporate a number of contribution submitted on GitHub by our users, whether feature requests or bug reports," Saint-Paul told The Daily Swig.

"Nonetheless, as we considered switching from beta to version 1.0, we thought that hiring an external team for professional review would help spot possible remaining bugs. We chose to work with Synacktiv for this."

Although the problems identified by Synacktiv "may appear obvious to security experts in retrospect" the fact the code had been available "all these years" and nobody spotted these issues before shows this is not actually the case, he added.

Saint-Paul concluded: "It also demonstrates that external audits are invaluable to spot hitherto unseen problems."

This story was updated to add comment from Regis Saint-Paul of NBS System

RECOMMENDED Silver Peak addresses three-pronged RCE exploit in Unity Orchestrator