Tutorial: Setup an Azure WAF Security Protection and Detection Lab
The purpose of the Azure WAF security protection and detection lab tutorial is to demonstrate Azure Web Application Firewall (WAF) capabilities in identifying, detecting, and protecting against suspicious activities and potential attacks against your Web Applications. This first tutorial in a four-part series walks you through creating a lab environment for testing against Azure WAF's protections. This lab focuses on the OWASP protection ruleset and logging capabilities of Azure WAF. The lab does not include advanced application security concepts and is not intended to be a reference for application security testing as these areas are broader than the use cases demonstrated herein. For more information about each tutorial in this series, refer to the previous section, Tutorial Overview.
Please refer to the above document for deployment instructions only and do not use the deployment template linked in it. The deployment template used in these lab tutorials is different from the one used in the deployment instructions document
We recommend using the Azure WAF Attack Testing Lab Environment Deployment Template as it already contains all the components needed for this lab including a customized version of the OWASP Juice Shop application. The closer your lab is to the suggested lab setup, the easier it will be to follow the Azure WAF testing procedures. After deployment and minimum configuration steps, you will be ready to perform actions with the suggested hacking research tools and review Azure WAF's protections against those malicious actions.
When using the Azure WAF Attack Testing Lab Environment Deployment Template, additional resources such as VMs and Azure Front Door will be deployed. The below diagram represents resources in the environment which are utilized in this lab. The resources which are not used in this lab have been grayed out (VMs, Azure Front Door, DDoS Protection).
! IMPORTANT: This environment will be used as the baseline for the remainder of this document and the tutorial
In this setup, traffic from the attacker machine (Kali VM) will be routed to the internet through the Azure Firewall. Successful attack path is one where malicious data is sent directly by the attacker to the OWASP Juice Shop web application leading to successful exploitation. Attack path defended by WAF represents the path where malicious data is inspected by Azure WAF (on Azure Application Gateway) and blocked with its out of the box ruleset before it reaches the web application.
You can also use a preexisting environment for this lab. For completing these tutorials, your environment must have the following key components:
An instance of the customized OWASP Juice Shop web application with an internet accessible endpoint
An instance of Application Gateway with Azure WAF which publishes the OWASP Juice Shop web application to the internet
An attacker machine (VM) with common hacking tools and internet connectivity. We use Kali Linux as the attacker VM
If manually deploying the components required for this tutorial, your complete lab setup should look as similar as possible to the following diagram:
Attacker VM (Kali Linux) with preinstalled vulnerability and penetration testing tools
Private & Public
Azure Firewall for outbound and inbound traffic restrictions and inspection
Azure WAF on Application Gateway
Private & Public
Azure Web Application Firewall preventing threats to the OWASP web application published through Application Gateway
OWASP Juice Shop Application. An open source web application with built in security vulnerabilities and CFT challenges
! IMPORTANT: For the scenarios demonstrated in this document, OWASP Juice Shop application was running on HTTP port 3000. This is not the case when you use the Azure WAF Attack Testing Lab Environment Deployment Template as it configures the application to run on port 80, 443 and assigns it a URL. For the lab tutorials, you will connect to the application on HTTP port 80 only. The URL for the application will be http://owaspdirect-<deployment guid>.azurewebsites.net.
Tip: As it is a security best practice, we strongly recommend that you change the default lab password after deployment
Additional configuration is required on the Kali Linux VM before getting started on the lab exercises. The Kali VM in this lab environment needs remote desktop environment installed and configured. Please complete the steps in the order outlined below.
Updating Kali Linux and Installing Desktop Environment
Launch PowerShell on your local machine and run the following command to connect to the Kali VM
ssh svradmin@<Public IP Address of Azure Firewall>
<Type your password when prompted to login>
You can find the public IP of Azure Firewall in the Azure Portal under Resource Group --> SOC-NS-FW --> Public IP configuration
You can also use Putty client on your local machine to connect to the Kali VM
Once connected to the Kali VM with SSH, run the following command to update the Kali Linux distro
sudo apt-get update
<Type your password when prompted>
If you get an error about Kali Signatures being invalid upon running the above command, run the following commands to update the keys as root user and then run the abovementioned update command again
Change user to root: sudo su root Update the keys: wget -q -O - archive.kali.org/archive-key.asc | apt-key add
Once the Kali Linux distro is updated, run the following command to install and configure the remote desktop server on the Kali VM
a. sudo apt-get install -y kali-desktop-xfce xorg xrdp
Note: The lab deployment template has been updated with new Operating Systems and SKUs. The Kali Linux images are running on the latest version available in the Marketplace. The Windows 10 Virtual Machines have been updated to Windows 11 and the VM SKUs have been updated to Standard D2s v3 from Standard_B2s.