Web Application Protection

Web applications are connected to the internet 24x7 and attacked continuously.

It is very important to Protect web applications against different types of attacks (prevention is better than the cure) but no Security baseline can 100% prevent breaches to occur so it is also important to Detect & Respond to attacks that might bypass the protection layer.

Azure WAF (Web Application Firewall) detect attacks against web applications via Azure Sentinel including (default & custom) Incident- & Hunting-rules and Dashboards for threat intelligence.

Let’s share some examples of the Detect phase. Nikto, SQL Injection and Cross-site scripting/XSS are described in my previous blog so let’s use some other examples.

Web application attack framework

The web application attack framework consists of three phases.

Reconnaissance

Reconnaissance is the passive and/or active phase of collecting information about the target (web site / application). Passive reconnaissance (e.g. Google search) cannot be detected, active reconnaissance can be detected.

Different tools can be used to scan web applications for vulnerabilities and/or content like Nikto, Skipfish, Dirb(uster), GoBuster, Wfuzz, Cutycapt, etc.

An example is the output above, the left screen is a direct attack (Nikto web scan as an example), the right screen is the same attack via the Azure WAF. The different outputs confirms the prevention of the attack if a WAF (Web Application Firewall) is used.

Web scan tools like Wpscan (also WhatWeb) directly output the HTTP status code 403 (Forbidden) and status that the application is protected by aWAF (Web Application Firewall).

Other tools and techniques are verified to be blocked by the Azure WAF via the HTTP status code 403 in the log (analytics workspace).

We can use the following query in Azure Sentinel to detect the use of Wpscan, a web vulnerability scanner and outputs the IP-address of the attacker(s).

AzureDiagnostics
| where ResourceType == “APPLICATIONGATEWAYS”
| where Category == “ApplicationGatewayFirewallLog”
| where details_message_s contains “wpscan”
| summarize IPs = make_set(details_data_s) by clientIp_s

Optionally block access from the attacker IP address (clientIp_s) or use it for correlation (threat intelligence).

Exploit

An exploit is a technique to take advantage of a vulnerability to cause unintended or unanticipated behavior. Such behavior frequently includes gaining control of a computer system, allowing privilege escalation, or a denial-of-service (DoS or related DDoS) attack.

Different data exfiltration tools and techniques can be used, let’s use Security Misconfiguration (#6 OWASP Top 10) as an example.

Brute force is a technique to ‘guess’ the username and password to gain access to the system if default or weak passwords are used, often Burp suite (Intruder feature) is used to ‘brute force’ the username and password combinations.

We can use the following query in Azure Sentinel to detect a brute force attack (example: more than 10 login attempts within one hour from the same IP address) and output the IP-address of the attacker(s).

AzureDiagnostics
|where TimeGenerated > ago(1h)
| where ResourceType == “APPLICATIONGATEWAYS”
| where Category == “ApplicationGatewayAccessLog”
| where requestUri_s == “/login.php”
| summarize Count=count() by clientIp_s
| where Count >= 10

Optionally block access from the attacker IP address (clientIp_s) or use it for correlation (threat intelligence).

Exfiltration

Exfiltration is the phase of the attacker stealing (sensitive) data.

Different data exfiltration tools and techniques can be used but let’s use XXE (#4 OWASP Top 10) as an example.

XXE (XML External Entities) is a technique to gain access to the local file system and exfiltrate data by exploiting XML parses.

We can use the following query in Azure Sentinel to detect the XXE attack and output the IP-address of the attacker(s).

AzureDiagnostics
| where ResourceType == “APPLICATIONGATEWAYS”
| where Category == “ApplicationGatewayFirewallLog”
| where details_data_s contains “XXE”
| summarize IPs = make_set(details_data_s) by clientIp_s

Optionally block access from the attacker IP address (clientIp_s) or use it for correlation (threat intelligence).

Conclusion

I hope this blog gives some insights on the importance of protecting web applications via the NIST cybersecurity framework functions Protect, Detect & Respond to prevent unauthorized access and data disclosure.

Chief Technology Officer @ Nedscaper