Introduction

Welcome to the third installment of our Azure Web Application Firewall (WAF) Security Lab series. In this comprehensive tutorial, we’ll dive deep into vulnerability exploitation, specifically focusing on Cross-Site Scripting (XSS) attacks and how Azure WAF protects against them.

Series Overview

  1. Part 1: Lab Setup – Building Your Azure WAF Testing Environment
  2. Part 2: Reconnaissance Playbook – Testing Azure WAF Protection
  3. Part 3: Vulnerability Exploitation Playbook – Azure WAF vs XSS (This post)
  4. Part 4: Data Disclosure and Exfiltration Playbook

Why XSS Matters

Cross-Site Scripting (XSS) remains one of the most prevalent and dangerous web application vulnerabilities. Attackers can use XSS to inject malicious scripts into trusted websites, potentially compromising user data, hijacking sessions, or even taking control of the application. Understanding how Azure WAF mitigates these threats is crucial for maintaining robust web application security.

What You’ll Accomplish

By the end of this tutorial, you will:

  1. Set up Burp Suite for intercepting and analyzing web traffic
  2. Perform a Server-Side XSS attack against the OWASP Juice Shop application
  3. Compare the results of XSS attempts with and without Azure WAF protection
  4. Analyze Azure WAF’s response using the Azure Monitor Workbook

Prerequisites

  • Completed Azure WAF security lab setup from Part 1
  • Familiarity with basic web security concepts and XSS attacks
  • Completion of the reconnaissance playbook tutorial (Part 2)

Setting Up Your Testing Environment

Configuring Burp Suite and Firefox

Burp Suite is a powerful web application security testing tool. We’ll use it to intercept and analyze requests and responses during our XSS attack attempts.

  1. Connect to your Kali Linux VM via RDP
  2. Part 3: Vulnerability Exploitation Playbook - Azure WAF vs XSS
  3. Launch Burp Suite:
    • If not installed, run sudo apt install -y burpsuite in the terminal
    • Part 3: Vulnerability Exploitation Playbook - Azure WAF vs XSS
    • Applications > Web Application Analysis > burpsuite
    • Part 3: Vulnerability Exploitation Playbook - Azure WAF vs XSS
  4. Configure Burp Suite:
    • Start a temporary project with default settings
    • Part 3: Vulnerability Exploitation Playbook - Azure WAF vs XSS
    • Part 3: Vulnerability Exploitation Playbook - Azure WAF vs XSS
    • In Target > Scope, add these URLs:
      http://owaspdirect-<deployment guid>.azurewebsites.net
      http://juiceshopthruazwaf.com
      
    • Part 3: Vulnerability Exploitation Playbook - Azure WAF vs XSS
    • Part 3: Vulnerability Exploitation Playbook - Azure WAF vs XSS
    • Optionally exclude /socket.io/ paths to reduce noise
    • Verify Proxy is running on 127.0.0.1:8080 (Proxy > Options)
    • Part 3: Vulnerability Exploitation Playbook - Azure WAF vs XSS
    • Turn off intercept (Proxy > Intercept)
    • Part 3: Vulnerability Exploitation Playbook - Azure WAF vs XSS
  5. Configure Firefox to use Burp Suite as a proxy:
    • Menu > Preferences > Network Proxy > Settings
    • Manual proxy configuration: 127.0.0.1:8080
    • Part 3: Vulnerability Exploitation Playbook - Azure WAF vs XSS

Performing the XSS Attack

We’ll attempt a Server-Side XSS (Stored XSS) attack against the OWASP Juice Shop application in two scenarios:

Scenario 1: Direct Attack (Without WAF)

  1. Browse to http://owaspdirect-<deployment guid>.azurewebsites.net
  2. Navigate to Customer Feedback
  3. Part 3: Vulnerability Exploitation Playbook - Azure WAF vs XSS
  4. Part 3: Vulnerability Exploitation Playbook - Azure WAF vs XSS
  5. In the Comment box, paste this XSS payload:
    <iframe src="x-javascript&colon;alert(`xss`)">
    
  6. Complete the form and submit
  7. Part 3: Vulnerability Exploitation Playbook - Azure WAF vs XSS

Analysis:

  • Observe the “Thank you” message after submission
  • In Burp Suite, examine the request and response:
    • Request shows the XSS payload in the comment field
    • Part 3: Vulnerability Exploitation Playbook - Azure WAF vs XSS

    • Response shows a 201 Created status, indicating successful response
    • Part 3: Vulnerability Exploitation Playbook - Azure WAF vs XSS

  • Verify the exploit:
    • Navigate to the “About Us” page
    • Observe the XSS alert pop-up, confirming the vulnerability

Scenario 2: Attack Through Azure WAF

  1. Open a new Firefox instance
  2. Browse to http://juiceshopthruazwaf.com
  3. Repeat the same steps to submit the XSS payload
  4. Part 3: Vulnerability Exploitation Playbook - Azure WAF vs XSS

Analysis:

  • Notice the absence of a “Thank you” message
  • In Burp Suite, examine the request and response:
    • Request is identical to Scenario 1
    • Part 3: Vulnerability Exploitation Playbook - Azure WAF vs XSS

    • Response shows a 403 Forbidden status from Azure Application Gateway
    • Part 3: Vulnerability Exploitation Playbook - Azure WAF vs XSS

Understanding WAF’s Response

To dive deeper into how Azure WAF handled the XSS attempt, we’ll use the Azure Monitor Workbook for WAF.

  1. Access the WAF workbook in Azure Portal
  2. Set appropriate filters:
    • Time Range
    • WAF Type
    • WAF Items
  3. Analyze the key sections:
    • WAF actions filter
    • Part 3: Vulnerability Exploitation Playbook - Azure WAF vs XSS

    • Top Blocked Request URI addresses
    • Part 3: Vulnerability Exploitation Playbook - Azure WAF vs XSS

    • Top event triggers by rule name
    • Part 3: Vulnerability Exploitation Playbook - Azure WAF vs XSS

    • Client and Attack details
    • Part 3: Vulnerability Exploitation Playbook - Azure WAF vs XSS

Key Findings:

  • Two requests to /api/Feedbacks/ were blocked
  • Multiple WAF rules were triggered, including:
    • XSS Attack Detected via libinjection
    • XSS Filter – Category 4: Javascript URI Vector
    • NoScript XSS InjectionChecker: HTML Injection
    • IE XSS Filters – Attack Detected
  • The traffic was blocked due to exceeding the Anomaly Score threshold (Total Score: 53, XSS=35)

In-Depth Analysis of WAF’s XSS Protection

Azure WAF employs a multi-layered approach to detect and block XSS attempts:

  1. Pattern Matching: WAF looks for known XSS patterns in requests, like <script> tags or JavaScript events.
  2. Anomaly Scoring: Each potential threat is assigned a score. When the cumulative score exceeds a threshold, the request is blocked.
  3. Context-Aware Filtering: WAF analyzes where and how potentially malicious content appears in the request.
  4. Libinjection: This library helps detect SQL injection and XSS attempts by tokenizing and analyzing input.
  5. Recursive Inspection: WAF can decode and analyze content multiple times to catch obfuscated attacks.

In our test, the XSS payload triggered multiple rules, demonstrating the effectiveness of this layered approach.

Key Takeaways

  1. XSS vulnerabilities can be easily exploited in unprotected applications, potentially leading to severe security breaches.
  2. Azure WAF effectively detects and blocks XSS attempts at the network edge, before they reach the application.
  3. The out-of-the-box ruleset in Azure WAF provides robust protection against various XSS techniques, including obfuscated payloads.
  4. WAF’s multi-layered approach (pattern matching, anomaly scoring, context analysis) provides comprehensive protection against evolving XSS threats.
  5. Regularly reviewing WAF logs and fine-tuning rules can further enhance your application’s security posture.

Next Steps

Now that we’ve seen how Azure WAF handles XSS attacks, we’re ready to explore even more sophisticated threats. In our next and final tutorial, we’ll dive into the “Data Disclosure and Exfiltration Playbook” where we’ll test Azure WAF’s capabilities against SQL Injection attacks.

Stay tuned, and keep your lab environment ready for the grand finale of our Azure WAF Security Lab series!

Share:

administrator

Microsoft MVP | Speaker | Azure Service Delivery Lead at Bespin Global MEA, helping customers build successful Azure practices. Talks about #AzureCloud and #AI