OWASP AppSec Europe 2015

The talk is about naxsi, a web application firewall for Nginx.

Instead of relying on a database of attack signatures (negative model - most common approach), naxsi relies on a way smaller set of "uncommon" or "dangerous" patterns, and will use those to decide if a request is malevolent or legitimate.

This approach allows to drastically reduce the runtime cost of request analysis, and offers as well a very good resilience against obfuscated / unkown attacks. On the other hand, as it relies on a model that is closer to a "classic" network firewall (authorize legitimate traffic), it requires a heavier work on whitelists. This can be done quite easily thanks to naxsi's learning mode and helper tools.


The talk will be presented by Thibault Koechlin (Author of naxsi, NBS System). Rather than just a presentation of the software, I will try to present Naxsi from 3 different point of views :
- As a system Administrator
- As a pentester
- As a WAF author

The presentation will as well include "practical" examples, extracted from real life experiences :
- How to handle learning mode
- Learning mode challenges and limits
- Feedback from medium to big websites running Naxsi in production