The WAF Dilemma
How I lowered false positives with NGINX App Protect without compromising security.
MVPto avoid waf sqli, xss, etc. false positives of http post payload, the app developer can encode the payload using common base64 then app server can easily decode it back.
https://developer.mozilla.org/en-US/docs/Web/API/Window/btoa
encrypting the payload using light cipher such as aes128 is also possible.
javascript can do aes encryption and it will be hardware accelerated.
https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/encrypt
https://en.wikipedia.org/wiki/AES_instruction_set
- Nikoolayy1
The F5 AWAF/ASM has an option "Do nothing" as shown in https://my.f5.com/manage/s/article/K38690758 (the bd process is used in the two cases so most options should be the same) and I checked https://docs.nginx.com/nginx-app-protect-waf/v4/configuration-guide/configuration/ and the " do-nothing " option seems to be there as well that does not inspect the body. Many use cases and ways to do stuff in Nginx like with F5 BIG-IP and it is great 😀
- lnxgeek
How could I miss that?!?! I have been looking for that specific feature like forever in NAP 😆
It will solve a lot of issues for sure - Thanks!
- lnxgeek
Great input 👍
My problem is usually that I don't have access to the app owners or it is standard software stack where this is not an options.
Even if you pack your payload you will still have issues with the base64 character set which in itself creates a lot of false positive.
