Azure WAF is part of Azure Application Gateway and  provides centralized protection of your web applications from common exploits and vulnerabilities.

I found that one simple and quick way to familiarise with Azure WAF is to use the Damn Vulnerable Web Application (DVWA)

This is a step by step demo guide to showcase the Azure Application Gateway WAF
This document will give you all the details you need to demo the WAF capabilities of an Azure Application Gateway and the Application Gateway Analytics Logs to review the WAF detention logs
The demo can be run from a windows or linux VM on your Azure subscription, fronted by an Application Gateway with WAF enabled and default OWASP 3.0 ruleset

In case you prefer to watch a 3 min video to run through the steps this is for you


We will use the DVWA (Damn Vulnerable Web Application). This can be installed on a windows or linux VM. The following is for an ubuntu 16 image from the azure marketplace


As minimum you will need a VM running DWA, your local machine with a browser, an Azure Application Gateway and a Azure Log Analytics with Application Gateway analytics module installed

To enable Application Gateway analytics follow this guide: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-azure-networking-analytics
For general info about Azure WAF: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-web-application-firewall-overview

To install DVWA on an ubuntu VM follow these steps:https://blogs.technet.microsoft.com/positivesecurity/2017/06/01/setting-up-damn-vulnerable-web-app-dvwa-on-ubuntu-in-azure/

More information about DVWA: http://www.dvwa.co.uk/
Default username and password to access DVWA are admin/password

If any of the tests are not working or the DVWA is giving unusual responses then the first action is to enter the “Setup” menu and reset the MySQL database.

Make sure the DVWA Security is set to Low


The best way to demo the WAF capabilities is to run the tests against the Fronted Public IP address on the App Gateway. The gateway will have WAF enabled as detection (or transparent mode) so the following vulnerabilities will succeed against DVWA but you can log into Application Gateway Analytics and show that Azure WAF is detecting these attacks and if it was enabled in prevention mode (or blocking mode) it would block


This shows remote code injection

Comand =; ls -al

While WAF is on detection mode the vulnerability will go through, and we can see on the logs

When WAF is on prevention mode the violation is blocked:

Going to Log Analytics, Azure Diagnostics, Rule set OWASP and blocked
When WAF is on detection mode, look for ‘Warning, detected …’


SQL Injection vulnerability
Command = %’ or 1=’1


Cross Site Scripting vulnerability

Command = <script>alert(“you have been hacked”)</script>


Leave a Reply

Your email address will not be published. Required fields are marked *