Web attacks prevented by Azure WAF and detected by Azure Sentinel

Azure WAF (Web Application Firewall) provides protection for web applications (IaaS, PaaS or on-premises) from common attacks (OWASP Top 10) like SQL injection and XSS (Cross-site scripting).

Azure WAF can be used on Azure Front Door and/or Azure Application Gateway, in our example we use Azure Application Gateway (simple setup).

Setup

In the setup we use DVWA (Damn Vulnerable Web Application) as the vulnerable web server (VM in Azure IaaS), another option is the Juice Shop, as our backend pool (target). Azure Application Gateway provides (layer 7) load balancing.

Azure WAF monitoring can be done via:
- Azure Monitor
- Azure Security Center (default)
- Azure Sentinel (Azure WAF Data Connector requires the Diagnostic setting from the Application Gateway to send the data to Azure Sentinel Log Analytics)

In this blog we will leverage Azure Sentinel for Detection and (optional) Response.

Firewall mode

Although it is advised to start in Detection (monitor) mode to learn and setup the baseline, our setup is set to Prevention mode.

Prevention mode blocks suspicious incoming traffic (the threshold value is 5 or above).

Reconnaissance

The first stage of an attack is reconnaissance where the system is scanned for vulnerabilities. Nikto (web server scanner) is used on our Kali Linux machine for the remote scan, directly on the DVWA and via the WAF (I created two DNS records for distinction and to avoid the alert ‘Host header is a numeric IP address’).

The system detects the DVWA as Linux (Ubuntu) server with Apache installed and the WAF as Azure Application Gateway. The scan on the DVWA shows vulnerabilities that can be exploited.

The output on the Azure WAF did not show any information about vulnerabilities.

Azure WAF protects web applications against web application reconnaissance.

Azure Sentinel
Azure Sentinel (Microsoft native Cloud SIEM) can be used to detect the use of Nikto. Create an Analytics (Incident) rule with the following KQL query

AzureDiagnostics
| where ResourceType == “APPLICATIONGATEWAYS”
| where Category == “ApplicationGatewayFirewallLog”
| where details_message_s contains “nikto”
| project Message, details_message_s, details_data_s, clientIp_s, action_s

If a remote web scan is detected an Incident is created for the SOC (Security Operations Center).

An automated playbook can be added for example to block the IP-address (clientIp_s).

SQL Injection

SQL injection is a technique to exploit vulnerabilities via code injection. An easy example is the input field to compare values. The statement ‘0’ = ‘0’ results in the value True because 0 is equal to 0.

When go to the DVWA and/or WAF URL (logon via the DVWA default credentials), set the DVWA Security level to Low, select SQL Injection and enter

%’ or ‘0’=’0

in the User ID field.

The result via the DVWA will show all user IDs. The results via the Azure WAF is the following error, this verifies the system is working as it should be.

Azure Sentinel
Azure Sentinel can be used to detect SQL injection techniques.

AzureDiagnostics
| where ResourceType == “APPLICATIONGATEWAYS”
| where Category == “ApplicationGatewayFirewallLog”
| where Message contains “SQL Injection”
| project Message, details_message_s, details_data_s, clientIp_s, action_s

The output shows different SQL Injection attacks.

With the KQL Query we can create an Analytics (Incident) rule and optional block the IP-address via a playbook.

Cross-site scripting

Cross-site scripting (XSS) is a technique to exploit web vulnerabilities via injecting client-side scripts into web applications to gain access control. If a web application (site) allows input like comment, username and/or email field without controls, this can be exploited via cross-site scripting.

Burpsuite can be used for a real world attack simulation but for the simplicity of this example we use the script below

<script>alert(“This is a XSS Exploit Test”)</script>

When go to the DVWA and/or WAF URL (logon via the DVWA default credentials), set the DVWA Security level to Low, select XSS (reflected)and enter the script above. The result directly on the DVWA is

The result via the Azure WAF is

Azure Sentinel
Azure Sentinel can be used to detect cross-site scripting attack techniques.

AzureDiagnostics
| where ResourceType == “APPLICATIONGATEWAYS”
| where Category == “ApplicationGatewayFirewallLog”
| where Message contains “XSS Attack”
| project Message, details_message_s, details_data_s, clientIp_s, action_s

The output shows different XSS attacks.

With the KQL Query we can create an Analytics (Incident) rule and optional block the IP-address via a playbook.

I hope this blogs shows value of Azure WAF for protecting web applications and Azure Sentinel to detect and optional respond to web app attacks.

Chief Technology Officer @ Nedscaper