Naxsi

NAXSI is an open-source web application firewall developed by Thibault “bui” Koechlin, NBS System’s CSO, and its team. This NGINX module, used by NBS System, profoundly secures websites, particularly against attacks such as XSS and SQL injections.

In line with the open-source spirit, and for a continuous improvement of the tool, a feedback survey is available on NAXSI’s Github page. Today, discover a summary of this feedback !

What is NAXSI used for?

264 answers were received since the survey was put online, in March 2012. Among these respondents, at the moment of their answer:

  • 31% were testing the tool
  • 49% used NAXSI in a pre-production environment
  • 20% used it in production

The size of the websites handled by the respondents is also quite variable, as mentioned in the table below:

Website frequentation per environment

Most of the respondents (63%) deal with websites recording less than 5000 visitors per month. For the most part (37% of the total), the websites get less than 100 visits per month.

We can though notice that 42% of respondents using NAXSI in pre-production handle websites with several hundreds visitors per day or more! NAXSI is incidentally most used, on the websites generating most traffic, for testing purposes or in a pre-production environment.

However, given the good comments left by the respondents, it is more than likely that most of the ones testing NAXSI or using it in pre-production when they answered ended up integrating it in their production environment! If this is your case, do not hesitate to let us know what tipped the scale…

NAXSI : why use it?

The survey contained a question asking the respondents about the principal reason why they used NAXSI.

Here are their answers:

  • 34%: because I’m paranoid
  • 29%: because confidence doesn’t exclude control!
  • 20%: because I know my website has some vulnerabilities
  • 17%: other

Among the respondents having chosen the option “other”, some brought precisions through comments:

  • 18%: request from their company, a partner, a client…
  • 16%: testing of the tool
  • 16%: input of an extra security layer
  • 13 %: comparison with ModSecurity
  • 11%: search for tools after being attacked

Some of these answers brought up interesting points. They can indeed be grouped into some large motivations:

bleu - couche de sécu65% of respondents simly want to insure their security as much as possible

Répartition causes utilisation NAXSI

vert - vulnérabilité21% know that their website is vulnerable, or went through an attack

jaune - test6% are testing the tool or comparing it to other protection tools

orange - obligation3% use NAXSI because they have to

gris - pas de réponse5% did not answer (other / no comment)

Indeed, as a web application fire-wall, NAXSI overlays the other protection coats already present on an infrastructure. Whether one knows if one’s website is vulnerable or not, it brings additional security allowing to insure one’s website’s security against the principal web attacks, just like a shield.

What improvements could be applied to NAXSI ?

icone documentationIn the interest of continuous improvement, the survey also asked NAXSI’s users to talk about potential issues, remarks or improvement points. Several of these answers were about distinctive features related to a website or to the environment on which the respondent used or tested NAXSI.

However, one plea came out: 29% of respondents requested a better documentation. True, it is not always easy to integrate a new tool! However, one must not forget that NAXSI is open-source: its creators, though invested and bringing regular improvements, also deal with other projects.

We thus count on your participation! NAXSI’s wiki is in free editing mode for everyone: do not hesitate and complete the tool’s documentation, make your contribution!

What do users think of NAXSI ?

Pouce vert“I have more than 10 web developers and auditing each code before go live is ideal but we don’t have enough manpower. I don’t see any reason why we should remove NAXSI.”

“NAXSI is fantastic. The response time decrease is negligible if any.”

“With NAXSI the application doesn’t crash and I can sleep easier! […] It does exactly what it’s supposed to do and it does it exceedingly well.”

“I love frogs. They are so cute and gentle. Should be revered by everybody.”

“As a penetration tester, I’ve met with NAXSI many times, and most of them it resulted in a loss for me.”

“The idea behind the product is pure genius :)”

“This is way too easy to use, how can I justify my job with such a tool?”

“GOOOD JOB!!!”

Of course, we only mentioned here some of the comments that were written… all positive! A great victory for NAXSI and the security of the Web as a whole.

Go to NAXSI’github!

Lucie Saunois
Lucie Saunois
IT aficionado, specifically when it comes to cybersecurity, since she joined OT Group in 2015, Lucie specializes in making technical, and often complex, topics understandable by anyone.