New Nemesida WAF Free Build for NGINX

Last year, we released Nemesida WAF Free , a dynamic module for NGINX that blocks attacks on web applications. Unlike the commercial version based on machine learning, the free version only analyzes requests using the signature method.
Features of the release of Nemesida WAF 4.0.129
Prior to the current release, the Nemesida WAF dynamic module only supported Nginx Stable 1.12, 1.14, and 1.16. The new release adds support for Nginx Mainline starting from 1.17, and Nginx Plus starting from 1.15.10 (R18).
Why do another WAF?
NAXSI and mod_security are probably the most popular free WAF modules, and mod_security is actively promoted by Nginx, although, initially, it was used only in Apache2. Both solutions are free, open source, and many users all over the world. For mod_security, free and commercial, for $ 500 a year, signature sets are available, for NAXSI - a free set of signatures out of the box, you can also find additional rule sets such as doxsi.
This year we compared the performance of NAXSI and Nemesida WAF Free. Briefly about the results:
- NAXSI does not execute double URL decode in cookie
- NAXSI takes a very long time to configure - by default, the default rule settings will block most of the calls when working with a web application (authorization, editing a profile or material, participating in polls, etc.) and it is necessary to generate exception lists, which is bad for security. Nemesida WAF Free with default settings did not perform any false positives while working with the site.
- the number of missed attacks by NAXSI is many times higher, etc.
Despite the disadvantages, NAXSI and mod_security have at least two advantages - open source and a large number of users. We support the idea of disclosing the source code, but so far we cannot do it because of possible problems with the "piracy" of the commercial version, but to compensate for this drawback, we fully disclose the contents of the signature set. We value privacy and offer to verify this yourself using a proxy server.
Nemesida WAF Free Feature:
- high-quality signature database with a minimum of False Positive and False Negative.
- installation and updating from the repository (this is quick and convenient);
- simple and understandable events about incidents, not a mess, like NAXSI;
- completely free, has no restrictions on the amount of traffic, virtual hosts, etc.
In conclusion, I will give a few queries to evaluate the performance of WAF (it is recommended to use in each of the zones: URL, ARGS, Headers & Body):
')) un","ion se","lect 1,2,3,4,5,6,7,8,9,0,11#"]
')) union/**/select/**/1,/**/2,/**/3,/**/4,/**/5,/**/6,/**/7,/**/8,/**/9,/**/'some_text',/**/11#"]
union(select(1),2,3,4,5,6,7,8,9,0x70656e746573746974,11)#"]
')) union+/*!select*/ (1),(2),(3),(4),(5),(6),(7),(8),(9),(0x70656e746573746974),(11)#"]
')) /*!u%6eion*/ /*!se%6cect*/ (1),(2),(3),(4),(5),(6),(7),(8),(9.),(0x70656e746573746974),(11)#"]
')) %2f**%2funion%2f**%2fselect (1),(2),(3),(4),(5),(6),(7),(8),(9),(0x70656e746573746974),(11)#"]
%5B%221807182982%27%29%29%20uni%22%2C%22on
%20sel%22%2C%22ect%201%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C%2some_text%27%2C11%23%22%5D
cat /et?/pa?swd
cat /et'c/pa'ss'wd
cat /et*/pa**wd
e'c'ho 'swd test pentest' |awk '{print "cat /etc/pas"$1}' |bas'h
c\a\t \/\e\t\c/\p\a\s\sw\d
cat$u+/etc$u/passwd$u
Если запросы не будут заблокированы — то, скорее всего, WAF пропустит и реальную атаку. Перед использованием примеров убедитесь, что WAF не блокирует легитимные запросы.