The purpose of the Azure WAF security protection and detection lab tutorial is to demonstrate Azure Web Application Firewall (WAF) capabilities in identifying, detecting, and protecting against suspicious activities and potential attacks against your Web Applications. This first tutorial in a four-part series walks you through creating a lab environment for testing against Azure WAF's protections. This lab focuses on the OWASP protection ruleset and logging capabilities of Azure WAF. The lab does not include advanced application security concepts and is not intended to be a reference for application security testing as these areas are broader than the use cases demonstrated herein. For more information about each tutorial in this series, refer to the previous section, Tutorial Overview.
In this tutorial you will:
We recommend using the Azure WAF Attack Testing Lab Environment Deployment Template as it already contains all the components needed for this lab including a customized version of the OWASP Juice Shop application. The closer your lab is to the suggested lab setup, the easier it will be to follow the Azure WAF testing procedures. After deployment and minimum configuration steps, you will be ready to perform actions with the suggested hacking research tools and review Azure WAF's protections against those malicious actions.
When using the Azure WAF Attack Testing Lab Environment Deployment Template, additional resources such as VMs and Azure Front Door will be deployed. The below diagram represents resources in the environment which are utilized in this lab. The resources which are not used in this lab have been grayed out (VMs, Azure Front Door, DDoS Protection).
! IMPORTANT: This environment will be used as the baseline for the remainder of this document and the tutorial
In this setup, traffic from the attacker machine (Kali VM) will be routed to the internet through the Azure Firewall. Successful attack path is one where malicious data is sent directly by the attacker to the OWASP Juice Shop web application leading to successful exploitation. Attack path defended by WAF represents the path where malicious data is inspected by Azure WAF (on Azure Application Gateway) and blocked with its out of the box ruleset before it reaches the web application.
You can also use a preexisting environment for this lab. For completing these tutorials, your environment must have the following key components:
If manually deploying the components required for this tutorial, your complete lab setup should look as similar as possible to the following diagram:
The below table details the resources needed from all resources deployed with the Azure WAF Attack Testing Lab Environment Deployment Template.
Resource |
Name |
IP Address Type |
Purpose |
Virtual Machine |
VM-Kali |
Private only |
Attacker VM (Kali Linux) with preinstalled vulnerability and penetration testing tools |
Firewall |
SOC-NS-FW |
Private & Public |
Azure Firewall for outbound and inbound traffic restrictions and inspection |
Azure WAF on Application Gateway |
SOC-NS-AG-WAFv2 |
Private & Public |
Azure Web Application Firewall preventing threats to the OWASP web application published through Application Gateway |
OWASP WebApp |
owaspdirect-<deployment guid>.azurewebsites.net |
Public only |
OWASP Juice Shop Application. An open source web application with built in security vulnerabilities and CFT challenges |
! IMPORTANT: For the scenarios demonstrated in this document, OWASP Juice Shop application was running on HTTP port 3000. This is not the case when you use the Azure WAF Attack Testing Lab Environment Deployment Template as it configures the application to run on port 80, 443 and assigns it a URL. For the lab tutorials, you will connect to the application on HTTP port 80 only. The URL for the application will be http://owaspdirect-<deployment guid>.azurewebsites.net.
Additional configuration is required on the Kali Linux VM before getting started on the lab exercises. The Kali VM in this lab environment needs remote desktop environment installed and configured. Please complete the steps in the order outlined below.
ssh svradmin@<Public IP Address of Azure Firewall>
<Type your password when prompted to login>
sudo apt-get update
<Type your password when prompted>
a. sudo apt-get install -y kali-desktop-xfce xorg xrdp
b. sudo systemctl enable xrdp
c. echo xfce4-session >~/.xsession
d. sudo service xrdp restart
a. Connect to the Kali VM over RDP by using the following IP address and port combination
<Public IP Address of Azure Firewall>:33892
b. When prompted to choose the setup for the first startup, click to select “Use default config”
c. You can now close your SSH session to the Kali VM by typing “exit” in the SSH session running in PowerShell
a. Launch Terminal and run the following command
sudo nano /etc/hosts
<Type your password when prompted>
b. Create the following entry
c. Save the hosts file and exit
Use Ctrl+S to save and Ctrl+X to exit
Before proceeding to the next tutorial, take a few mins to review the following
Previous: Tutorial Overview |
Next: Reconnaissance Playbook |
Note: The lab deployment template has been updated with new Operating Systems and SKUs. The Kali Linux images are running on the latest version available in the Marketplace. The Windows 10 Virtual Machines have been updated to Windows 11 and the VM SKUs have been updated to Standard D2s v3 from Standard_B2s.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.