Part 4: Data Exfiltration Playbook – Azure WAF Security Lab

Introduction

Welcome to our comprehensive series on Azure Web Application Firewall (WAF) security! In this final installment, we’ll be diving deep into protecting against data exfiltration attempts. This hands-on tutorial is part of a four-part series designed to demonstrate Azure WAF’s capabilities in identifying and mitigating various cyber threats.

Series Overview

What You’ll Learn

In this tutorial, you’ll:

Simulate a SQL Injection (SQLi) attack against an OWASP Juice Shop application
Compare application behavior with and without Azure WAF protection
Analyze WAF logs using Azure Monitor Workbooks

Prerequisites

Before starting this tutorial, ensure you have:

Completed the Azure WAF security lab setup
Finished the previous tutorials in this series
Familiarity with Burp Suite and Firefox (setup instructions provided)

Lab Scenario: Protecting Against SQL Injection

We’ll explore two scenarios:

Direct attack on the vulnerable application
Attack attempt through Azure WAF protection

Scenario 1: Direct SQLi Attack

Access the Kali VM
Launch Burp Suite
Ensure you have Burp Suite configured and running as described in the Configuring Burp Suite and Firefox section of the Vulnerability Exploitation Playbook
Browse to the Juice Shop application (http://owaspdirect-<deployment guid>.azurewebsites.net)
In the search bar on the Juice Shop website, type “apple”
In Burp Suite, check the Proxy –> HTTP history tab for the request and response data for this website
Identify the vulnerable /rest/products/search endpoint
- The /rest/products/search endpoint of the OWASP Juice Shop application is vulnerable to SQL injection, we will be exploiting the SQLi vulnerability in this endpoint
Examine the request and response in Burp Suite
Use Burp Suite’s Repeater to inject a malicious SQL query
Right-click one of the GET requests to the /rest/products/search endpoint and then click Send to Repeater

In the Burp Repeater window. In the Request URI, locate the parameter /rest/products/search?q=. After the “=” sign, paste your encoded SQL query. This appends the query to the existing search parameter.

%71%77%65%72%74%27%29%29%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%69%64%2c%20%65%6d%61%69%6c%2c%20%70%61%73%73%77%6f%72%64%2c%20%27%34%27%2c%20%27%35%27%2c%20%27%36%27%2c%20%27%37%27%2c%20%27%38%27%2c%20%27%39%27%20%46%52%4f%4d%20%55%73%65%72%73%2d%2d

After pasting your encoded SQL query into the search parameter, click the “Send” button to submit the request.
Observe the successful data exfiltration

Scenario 2: SQLi Attack Through Azure WAF

Launch a new Burp Suite instance
Browse to the protected application (http://juiceshopthruazwaf.com)
Attempt the same SQL injection
Observe Azure WAF blocking the malicious request

Analyzing WAF Logs

We’ll use the Azure Monitor Workbook for WAF to gain insights:

Access the WAF workbook in Azure Portal
Set appropriate filters (time range, WAF type)
Examine key sections:
- WAF actions
- Blocked Request URIs
- Top event triggers
- Detailed messages

Key Takeaways

SQL Injection remains a critical web application vulnerability
Azure WAF provides robust protection against SQLi attacks
WAF can detect and block suspicious queries at the network edge
Proper log analysis is crucial for understanding attack patterns

Next Steps

Practice identifying other types of attacks in your lab
Explore additional WAF configuration options for your specific use cases

By completing this series, you’ll have gained valuable hands-on experience in setting up, testing, and analyzing Azure WAF protection against various cyber threats.

Stay tuned for more in-depth Azure security tutorials and happy securing!

Mahmoud A. ATALLAH

Microsoft MVP | Speaker | Azure Service Delivery Lead at Bespin Global MEA, helping customers build successful Azure practices. Talks about #AzureCloud and #AI