Title: Type your web-application parameters with naxsi
Date: 2015-03-29 14:00

Since I'm doing my internship at [NBS]( https://nbs-system.com ),
I'm playing a lot with [naxsi]( https://github.com/nbs-system/naxsi ).
It's a simple-stupid [WAF]( https://en.wikipedia.org/wiki/Application_firewall ), with
[basic rules]( https://raw.githubusercontent.com/nbs-system/naxsi/master/naxsi_config/naxsi_core.rules )
that should keep the kiddies away.

It has an auto-learning mode, where you feed an *Elastic Search* instance
with legitimate traffic (on a reverse proxy for example), and it will
do its best to generate whitelists for your applications;
since the default rules are pretty strict.
And every modules/tools for naxsi is working on this model.

Since not everyone has an elastic-search instance, I rewrote the
[typification]( https://raw.githubusercontent.com/jvoisin/naxsi/tool/tools/typer.py )
module so that you can now feed it with
[combined log format (CLF)]( https://httpd.apache.org/docs/1.3/logs.html#combined ) instead.

It'll read your logs, parse your *GET* parameters, and try to find the
narrowest type for them, to output naxsi rules, for example:

```python
$ python typer.py /var/log/nginx/dog-nail-art.com.access.log
BasicRule negative "rx:^[0-9a-z?&=+_-]+$" "msg:typed (url parameter) parameter" "mz:$ARGS_VAR:feed" "s:BLOCK";
BasicRule negative "rx:^[0-9a-z]+$" "msg:typed (alphanum) parameter" "mz:$ARGS_VAR:ac" "s:BLOCK";
BasicRule negative "rx:^[0-9a-z]+$" "msg:typed (alphanum) parameter" "mz:$ARGS_VAR:utm_content" "s:BLOCK";
BasicRule negative "rx:^[0-9a-z]+$" "msg:typed (alphanum) parameter" "mz:$ARGS_VAR:fbconnect_action" "s:BLOCK";
BasicRule negative "rx:^[01]$" "msg:typed (boolean) parameter" "mz:$ARGS_VAR:bad_day" "s:BLOCK";
BasicRule negative "rx:^[0-9a-z]+$" "msg:typed (alphanum) parameter" "mz:$ARGS_VAR:utm_campaign" "s:BLOCK";
BasicRule negative "rx:^[01]$" "msg:typed (boolean) parameter" "mz:$ARGS_VAR:author" "s:BLOCK";
BasicRule negative "rx:^[0-9a-z]+$" "msg:typed (alphanum) parameter" "mz:$ARGS_VAR:gf_page" "s:BLOCK";
BasicRule negative "rx:^[01]$" "msg:typed (boolean) parameter" "mz:$ARGS_VAR:badday" "s:BLOCK";
BasicRule negative "rx:^[0-9a-z]+$" "msg:typed (alphanum) parameter" "mz:$ARGS_VAR:utm_medium" "s:BLOCK";
BasicRule negative "rx:^[0-9a-z]+$" "msg:typed (alphanum) parameter" "mz:$ARGS_VAR:type" "s:BLOCK";
BasicRule negative "rx:^[0-9a-f]+$" "msg:typed (hexadecimal) parameter" "mz:$ARGS_VAR:format" "s:BLOCK";
BasicRule negative "rx:^\d+$" "msg:typed (integer) parameter" "mz:$ARGS_VAR:paged" "s:BLOCK";
BasicRule negative "rx:^[0-9a-z]+$" "msg:typed (alphanum) parameter" "mz:$ARGS_VAR:lang" "s:BLOCK";
BasicRule negative "rx:^\d+$" "msg:typed (integer) parameter" "mz:$ARGS_VAR:page_id" "s:BLOCK";
BasicRule negative "rx:^[0-9a-z]+$" "msg:typed (alphanum) parameter" "mz:$ARGS_VAR:cmd" "s:BLOCK";
BasicRule negative "rx:^[0-9a-z]+$" "msg:typed (alphanum) parameter" "mz:$ARGS_VAR:m" "s:BLOCK";
BasicRule negative "rx:^\d+$" "msg:typed (integer) parameter" "mz:$ARGS_VAR:cat" "s:BLOCK";
BasicRule negative "rx:^\d+$" "msg:typed (integer) parameter" "mz:$ARGS_VAR:p" "s:BLOCK";
```

You may find this useful if you're hosting web applications with outdated
and exploitable plugins.