[GH-ISSUE #61] Many attacks are bypassed and whitelist/blacklist IP

kerem commented

2026-03-13 16:46:15 +03:00

Owner

Originally created by @NgHuuAn on GitHub (Sep 14, 2021).
Original GitHub issue: https://github.com/ADD-SP/ngx_waf/issues/61

Hi,

We have tested with some tools to check WAF like Nikto scan tools, owasp to check the ability to block and bypass, but still get ByPass quite a lot even though waf_mode=FULL.

Can you update this rules or we can customize the rules in the path /usr/local/src/ngx_waf/assets/rules. It would be nice if this modules can be able to integrate with 3rd apps like modsecurity like we are currently using.

In addition, the IP whitelist and IP blacklist features we don't really understand. When adding an IP to the blacklist, this IP can still request the url and uri of the website.

Looking forward to hearing from you soon

Thanks !

Originally created by @NgHuuAn on GitHub (Sep 14, 2021). Original GitHub issue: https://github.com/ADD-SP/ngx_waf/issues/61 Hi, We have tested with some tools to check WAF like Nikto scan tools, owasp to check the ability to block and bypass, but still get ByPass quite a lot even though waf_mode=FULL. ![image](https://user-images.githubusercontent.com/31845795/133216308-3b6bb4de-3a5f-42f5-ade1-8b5ea6718f22.png) Can you update this rules or we can customize the rules in the path /usr/local/src/ngx_waf/assets/rules. It would be nice if this modules can be able to integrate with 3rd apps like modsecurity like we are currently using. In addition, the IP whitelist and IP blacklist features we don't really understand. When adding an IP to the blacklist, this IP can still request the url and uri of the website. Looking forward to hearing from you soon Thanks !

kerem

2026-03-13 16:46:15 +03:00

closed this issue
added the
enhancement

question
labels

kerem commented

2026-03-13 16:46:31 +03:00

Author

Owner

@ADD-SP commented on GitHub (Sep 14, 2021):

Hi,

Thanks for the test!

By default, if an IP is added to the blacklist, then clients using that IP will receive HTTP status code 403. If a client's IP is added to the whitelist, then subsequent checks for ngx_waf will be skipped. Which checks are skipped depends on the priority setting, see Rule Priority for details.

We realized early on that ngx_waf is very easy to bypass, so we have integrated libinjection in v5.1.2, see CHANGES.

We plan to integrate ModSecurity, but this will take some time. Internal testing is expected to take place this month, so if you are interested you can contact us via the contact information in the documentation so you can also participate in the internal testing effort.

Regards

@ADD-SP commented on GitHub (Sep 14, 2021): Hi, Thanks for the test! By default, if an IP is added to the blacklist, then clients using that IP will receive HTTP status code 403. If a client's IP is added to the whitelist, then subsequent checks for `ngx_waf` will be skipped. Which checks are skipped depends on the priority setting, see [Rule Priority](https://docs.addesp.com/ngx_waf/advance/priority.html) for details. We realized early on that `ngx_waf` is very easy to bypass, so we have integrated [libinjection](https://github.com/libinjection/libinjection) in v5.1.2, see [CHANGES](https://docs.addesp.com/ngx_waf/changes/5_x_x.html#_5-1-2-2021-04-30-gmt-0800). We plan to integrate [ModSecurity](https://github.com/SpiderLabs/ModSecurity), but this will take some time. Internal testing is expected to take place this month, so if you are interested you can contact us via the contact information in the documentation so you can also participate in the internal testing effort. Regards

kerem commented

2026-03-13 16:46:36 +03:00

Author

Owner

@NgHuuAn commented on GitHub (Sep 14, 2021):

Hi,

Just is tell you this is a great module for nginx as we can integrate many features into a single module instead of just combining many different modules from the community. but there are still some limitations with bypass some attack, configure or check logs through the dashboard, support to more webserver,... and if you can handle them you can turn this module into commercial (Just like Imunify360 did it).

Regarding Blacklist and Whitelist issues, we will check and update information to you. Maybe we tested with old versions.

Yes, we will cooperate with you for testing if you need our helps

Regards !

@NgHuuAn commented on GitHub (Sep 14, 2021): Hi, Just is tell you this is a great module for nginx as we can integrate many features into a single module instead of just combining many different modules from the community. but there are still some limitations with bypass some attack, configure or check logs through the dashboard, support to more webserver,... and if you can handle them you can turn this module into commercial (Just like Imunify360 did it). Regarding Blacklist and Whitelist issues, we will check and update information to you. Maybe we tested with old versions. Yes, we will cooperate with you for testing if you need our helps Regards !

kerem commented

2026-03-13 16:46:41 +03:00

Author

Owner

@ADD-SP commented on GitHub (Sep 16, 2021):

@NgHuuAn

Hello.

I have integrated ModSecurity in the branch feature-modsecurity, I was hoping you could help me test ngx_waf again, please reopen this issue if you want.

I'm not familiar with the syntax of ModSecurity rules, I only learned some of them while testing the code, so I don't know which ModSecurity rules to provide, and I don't know if you have any available.

You need to install libmodsecurity before installing ngx_waf. If you have installed it before, you need to re-run the script configure. If you are using docker for testing, you can refer to docker/Dokcerfile.glibc or docker/Dokcerfile.musl.

You can enable ModSecurity with the following directive.

waf_modsecurity on file=/path/to/modsecurity/rules.conf;

Regards !

@ADD-SP commented on GitHub (Sep 16, 2021): @NgHuuAn Hello. I have integrated ModSecurity in the branch `feature-modsecurity`, I was hoping you could help me test `ngx_waf` again, please reopen this issue if you want. I'm not familiar with the syntax of ModSecurity rules, I only learned some of them while testing the code, so I don't know which ModSecurity rules to provide, and I don't know if you have any available. You need to install `libmodsecurity` before installing ngx_waf. If you have installed it before, you need to re-run the script `configure`. If you are using docker for testing, you can refer to `docker/Dokcerfile.glibc` or `docker/Dokcerfile.musl`. You can enable ModSecurity with the following directive. ```nginx waf_modsecurity on file=/path/to/modsecurity/rules.conf; ``` Regards !

kerem commented

2026-03-13 16:46:46 +03:00

Author

Owner

@NgHuuAn commented on GitHub (Oct 14, 2021):

Hi @ADD-SP ,

The current test results are better, you can check out the attached image below.

These patterns attack we have sent to you via emails.

Thanks and Regards !

@NgHuuAn commented on GitHub (Oct 14, 2021): Hi @ADD-SP , The current test results are better, you can check out the attached image below. ![image](https://user-images.githubusercontent.com/31845795/137310450-3563ddd1-c672-4c8b-9e69-2610826c7dae.png) These patterns attack we have sent to you via emails. Thanks and Regards !

kerem commented

2026-03-13 16:46:51 +03:00

Author

Owner

@ADD-SP commented on GitHub (Oct 14, 2021):

Hi @ADD-SP ,

The current test results are better, you can check out the attached image below.

These patterns attack we have sent to you via emails.

Thanks and Regards !

Thanks a lot!

@ADD-SP commented on GitHub (Oct 14, 2021): > > > Hi @ADD-SP , > > The current test results are better, you can check out the attached image below. > > ![image](https://user-images.githubusercontent.com/31845795/137310450-3563ddd1-c672-4c8b-9e69-2610826c7dae.png) > > These patterns attack we have sent to you via emails. > > Thanks and Regards ! Thanks a lot!

kerem commented

2026-03-13 16:46:56 +03:00

Author

Owner

@NgHuuAn commented on GitHub (Oct 14, 2021):

Hi ADD-SP/ngx_waf,

Sorry for the delay in replying to you, I'm busy with other projects so I
can't reply to you right away. If you need a pattern attack that we tested.
You can check the attached pdf file below for reference.

Thanks and Regards !

On Thu, Sep 16, 2021 at 11:24 PM ADD-SP @.***> wrote:

@NgHuuAn https://github.com/NgHuuAn

Hello.

I have integrated ModSecurity in the branch feature-modsecurity, I was
hoping you could help me test ngx_waf again, please reopen this issue if
you can.

I'm not familiar with the syntax of ModSecurity rules, I only learned some
of them while testing the code, so I don't know which ModSecurity rules to
provide, and I don't know if you have any available.

You need to install libmodsecurity before installing ngx_waf. If you have
installed it before, you need to re-run the script configure. If you are
using docker for testing, you can refer to docker/Dokcerfile.glibc or
docker/Dokcerfile.musl.

You can enable ModSecurity with the following directive.

waf_modsecurity on file=/path/to/modsecurity/rules.conf;

Regards !

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/ADD-SP/ngx_waf/issues/61#issuecomment-921048787, or
unsubscribe
https://github.com/notifications/unsubscribe-auth/AHS63I6VO4235N7BB7EGUOTUCIK5BANCNFSM5D7TMXNA
.
Triage notifications on the go with GitHub Mobile for iOS
https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675
or Android
https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

@NgHuuAn commented on GitHub (Oct 14, 2021): Hi ADD-SP/ngx_waf, Sorry for the delay in replying to you, I'm busy with other projects so I can't reply to you right away. If you need a pattern attack that we tested. You can check the attached pdf file below for reference. Thanks and Regards ! On Thu, Sep 16, 2021 at 11:24 PM ADD-SP ***@***.***> wrote: > @NgHuuAn <https://github.com/NgHuuAn> > > Hello. > > I have integrated ModSecurity in the branch feature-modsecurity, I was > hoping you could help me test ngx_waf again, please reopen this issue if > you can. > > I'm not familiar with the syntax of ModSecurity rules, I only learned some > of them while testing the code, so I don't know which ModSecurity rules to > provide, and I don't know if you have any available. > > You need to install libmodsecurity before installing ngx_waf. If you have > installed it before, you need to re-run the script configure. If you are > using docker for testing, you can refer to docker/Dokcerfile.glibc or > docker/Dokcerfile.musl. > > You can enable ModSecurity with the following directive. > > waf_modsecurity on file=/path/to/modsecurity/rules.conf; > > Regards ! > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <https://github.com/ADD-SP/ngx_waf/issues/61#issuecomment-921048787>, or > unsubscribe > <https://github.com/notifications/unsubscribe-auth/AHS63I6VO4235N7BB7EGUOTUCIK5BANCNFSM5D7TMXNA> > . > Triage notifications on the go with GitHub Mobile for iOS > <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> > or Android > <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. > >

Rows
Columns

[GH-ISSUE #61] Many attacks are bypassed and whitelist/blacklist IP #177