Introduction

Welcome to our comprehensive series on Azure Web Application Firewall (WAF) security! In this final installment, we’ll be diving deep into protecting against data exfiltration attempts. This hands-on tutorial is part of a four-part series designed to demonstrate Azure WAF’s capabilities in identifying and mitigating various cyber threats.

Series Overview

  1. Part 1: Lab Setup – Building Your Azure WAF Testing Environment
  2. Part 2: Reconnaissance Playbook – Testing Azure WAF Protection
  3. Part 3: Vulnerability Exploitation Playbook – Azure WAF vs XSS
  4. Part 4: Data Disclosure and Exfiltration Playbook (This post)

What You’ll Learn

In this tutorial, you’ll:

  • Simulate a SQL Injection (SQLi) attack against an OWASP Juice Shop application
  • Compare application behavior with and without Azure WAF protection
  • Analyze WAF logs using Azure Monitor Workbooks

Prerequisites

Before starting this tutorial, ensure you have:

Lab Scenario: Protecting Against SQL Injection

We’ll explore two scenarios:

  1. Direct attack on the vulnerable application
  2. Attack attempt through Azure WAF protection

Scenario 1: Direct SQLi Attack

  1. Access the Kali VM
  2. Part 4: Data Exfiltration Playbook - Azure WAF Security Lab
  3. Launch Burp Suite
  4. Part 4: Data Exfiltration Playbook - Azure WAF Security Lab
  5. Ensure you have Burp Suite configured and running as described in the Configuring Burp Suite and Firefox section of the Vulnerability Exploitation Playbook
  6. Browse to the Juice Shop application (http://owaspdirect-<deployment guid>.azurewebsites.net)
  7. In the search bar on the Juice Shop website, type “apple”    Part 4: Data Exfiltration Playbook - Azure WAF Security Lab
  8. In Burp Suite, check the Proxy –> HTTP history tab for the request and response data for this website
  9. Identify the vulnerable /rest/products/search endpoint
  10. Part 4: Data Exfiltration Playbook - Azure WAF Security Lab
    • The /rest/products/search endpoint of the OWASP Juice Shop application is vulnerable to SQL injection, we will be exploiting the SQLi vulnerability in this endpoint
  11. Examine the request and response in Burp Suite
  12. Use Burp Suite’s Repeater to inject a malicious SQL query
  13. Right-click one of the GET requests to the /rest/products/search endpoint and then click Send to Repeater
  14. Part 4: Data Exfiltration Playbook - Azure WAF Security Lab
  15. In the Burp Repeater window. In the Request URI, locate the parameter /rest/products/search?q=. After the “=” sign, paste your encoded SQL query. This appends the query to the existing search parameter.
    • %71%77%65%72%74%27%29%29%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%69%64%2c%20%65%6d%61%69%6c%2c%20%70%61%73%73%77%6f%72%64%2c%20%27%34%27%2c%20%27%35%27%2c%20%27%36%27%2c%20%27%37%27%2c%20%27%38%27%2c%20%27%39%27%20%46%52%4f%4d%20%55%73%65%72%73%2d%2d 
  16. Part 4: Data Exfiltration Playbook - Azure WAF Security Lab
  17. After pasting your encoded SQL query into the search parameter, click the “Send” button to submit the request.
  18. Observe the successful data exfiltration
  19. Part 4: Data Exfiltration Playbook - Azure WAF Security Lab

Scenario 2: SQLi Attack Through Azure WAF

  1. Launch a new Burp Suite instance
  2. Browse to the protected application (http://juiceshopthruazwaf.com)
  3. Part 4: Data Exfiltration Playbook - Azure WAF Security Lab
  4. Attempt the same SQL injection
  5. Part 4: Data Exfiltration Playbook - Azure WAF Security Lab
  6. Observe Azure WAF blocking the malicious request

Analyzing WAF Logs

We’ll use the Azure Monitor Workbook for WAF to gain insights:

  1. Access the WAF workbook in Azure Portal
  2. Set appropriate filters (time range, WAF type)
  3. Examine key sections:
    • WAF actions   Part 4: Data Exfiltration Playbook - Azure WAF Security Lab
    • Blocked Request URIs
    • Part 4: Data Exfiltration Playbook - Azure WAF Security Lab
    • Top event triggers
    • Part 4: Data Exfiltration Playbook - Azure WAF Security Lab
    • Detailed messages
    • Part 4: Data Exfiltration Playbook - Azure WAF Security Lab
    • Part 4: Data Exfiltration Playbook - Azure WAF Security Lab

Key Takeaways

  • SQL Injection remains a critical web application vulnerability
  • Azure WAF provides robust protection against SQLi attacks
  • WAF can detect and block suspicious queries at the network edge
  • Proper log analysis is crucial for understanding attack patterns

Next Steps

  1. Practice identifying other types of attacks in your lab
  2. Explore additional WAF configuration options for your specific use cases

By completing this series, you’ll have gained valuable hands-on experience in setting up, testing, and analyzing Azure WAF protection against various cyber threats.

Stay tuned for more in-depth Azure security tutorials and happy securing!

Share:

administrator

Microsoft MVP | Speaker | Azure Service Delivery Lead at Bespin Global MEA, helping customers build successful Azure practices. Talks about #AzureCloud and #AI