Azure WAF to protect your Web Application

Published by david on

OVERVIEW

Azure WAF is part of Azure Application Gateway and  provides centralized protection of your web applications from common exploits and vulnerabilities.

I found that one simple and quick way to familiarise with Azure WAF is to use the Damn Vulnerable Web Application (DVWA)

This is a step by step demo guide to showcase the Azure Application Gateway WAF
This document will give you all the details you need to demo the WAF capabilities of an Azure Application Gateway and the Application Gateway Analytics Logs to review the WAF detention logs
The demo can be run from a windows or linux VM on your Azure subscription, fronted by an Application Gateway with WAF enabled and default OWASP 3.0 ruleset

In case you prefer to watch a 3 min video to run through the steps this is for you

https://vimeo.com/user92521147/review/304835242/88cd83245e

We will use the DVWA (Damn Vulnerable Web Application). This can be installed on a windows or linux VM. The following is for an ubuntu 16 image from the azure marketplace

SETUP

As minimum you will need a VM running DWA, your local machine with a browser, an Azure Application Gateway and a Azure Log Analytics with Application Gateway analytics module installed

To enable Application Gateway analytics follow this guide: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-azure-networking-analytics
For general info about Azure WAF: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-web-application-firewall-overview

To install DVWA on an ubuntu VM follow these steps:https://blogs.technet.microsoft.com/positivesecurity/2017/06/01/setting-up-damn-vulnerable-web-app-dvwa-on-ubuntu-in-azure/

More information about DVWA: http://www.dvwa.co.uk/
Default username and password to access DVWA are admin/password

If any of the tests are not working or the DVWA is giving unusual responses then the first action is to enter the “Setup” menu and reset the MySQL database.

Make sure the DVWA Security is set to Low

DEMO INSTRUCTIONS

The best way to demo the WAF capabilities is to run the tests against the Fronted Public IP address on the App Gateway. The gateway will have WAF enabled as detection (or transparent mode) so the following vulnerabilities will succeed against DVWA but you can log into Application Gateway Analytics and show that Azure WAF is detecting these attacks and if it was enabled in prevention mode (or blocking mode) it would block

TEST CASE 1: COMMAND INJECTION

This shows remote code injection

Comand = 127.0.0.1; ls -al

While WAF is on detection mode the vulnerability will go through, and we can see on the logs

When WAF is on prevention mode the violation is blocked:

Going to Log Analytics, Azure Diagnostics, Rule set OWASP and blocked
When WAF is on detection mode, look for ‘Warning, detected …’

TEST CASE 2: SQL INJECTION

SQL Injection vulnerability
Command = %’ or 1=’1

TEST CASE 3: XSS REFLECTED

Cross Site Scripting vulnerability

Command = <script>alert(“you have been hacked”)</script>

Categories: azuresecurity
Tags:

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

azure

Microsoft Threat Modeling Tool

Threat modeling is a core element of the Microsoft Security Development Lifecycle (SDL). It’s an engineering technique you can use to help you identify threats, attacks, vulnerabilities, and countermeasures that could affect your application. You can Read more…

azure

Azure Security Center -Secure Score Over Time Reports

You can now monitor your Azure Secure Score through API and even export how it changes over time to a Power BI report https://github.com/Azure/Azure-Security-Center/tree/master/Secure%20Score/PowerBI-SecureScoreReport

azure

Azure Monitor for Network Security

There is lots of new features coming along to Azure Monitor. Without a doubt, having non Azure resources (VMs, containers, databases) being treated as ‘native Azure citizens’ is a great contribution to have one single Read more…