Welcome! Log In Create A New Profile

Re: WordPress pingback mitigation

Forum List Message List New Topic Print View

gariac

May 21, 2017 06:00AM

Registered: 9 years ago
Posts: 178

‎I suppose I'm stating the obvious, but if you are going to implement blocking schemes with either simple map matches or a full blown WAP like Naxsi, you will need a test suite. For a very simple website, you can just crawl it with wget and see what you broke. But if you have forms, databases, etc. you probably will have to resort to Selenium. And that just checks if you broke something, not if you stopped some exploit.

There are enough Web testing companies that you can get an occasional demo. I used tinfoilsecurity.com and it found one mistake. Besides dotdotpwn, I don't know of any free exploit testers. Maybe the list can suggest a few.

Original Message
From: mex
Sent: Sunday, May 21, 2017 2:25 AM
To: nginx@nginx.org
Reply To: nginx@nginx.org
Subject: Re: WordPress pingback mitigation

pbooth Wrote:
-------------------------------------------------------
> Wow- I really like the sound of naxsi. In the past I've used F5's ASM,
> the WAF built on their big-ip platform. It was powerful though prone
> to false positives. I don't believe there are any real shortcuts that
> allow you to build an effective waf without understanding the details
> of your own website. These simply aren't build, deploy and forget
> devices. It sounds a if the creator of naxsi understands this.
>

hi,

naxsi-ssupporter and doxi-rules-maintainer here.

FPs are an issue for any blocking-mechanism.
what many people dont know: naxsi has an integrated whitelist-generator,
allowing you to tune your WAF against your own application. for people with
staging/deployment - envoriments you can run anxsi there in learning-mode,
generating all whitelists needed on-the-fly and deploying them during your
regular deployments.

maybe overdosed for smaller setups, but fitting perfectly into
bigger setups.

and yes, naxsi needs more documentation an beginner-based manuals.
maybe thios helps to understand the rules (and needs an update as well:)
https://zero.bs/naxis-rules-manual.html

regards,

mex

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,274339,274358#msg-274358

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
WordPress pingback mitigation	gariac	May 20, 2017 04:30AM
Re: WordPress pingback mitigation	c0nw0nk	May 20, 2017 06:35AM
Re: WordPress pingback mitigation	gariac	May 20, 2017 11:44AM
Re: WordPress pingback mitigation	c0nw0nk	May 20, 2017 12:35PM
Re: WordPress pingback mitigation	alexsamad	May 20, 2017 06:16PM
Re: WordPress pingback mitigation	gariac	May 21, 2017 03:42AM
Re: WordPress pingback mitigation	pbooth	May 21, 2017 01:30AM
Re: WordPress pingback mitigation	mex	May 21, 2017 05:25AM
Re: WordPress pingback mitigation	gariac	May 21, 2017 06:00AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 300

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018