The second tutorial in this four-part series for Azure WAF protection and detection lab is the reconnaissance playbook. The purpose of the Azure WAF security protection lab is to demonstrate Azure WAF's capabilities in identifying and protecting against suspicious activities and potential attacks against your web applications. This playbook explains how to test Azure WAF's protections against a reconnaissance attack with emphasis on Azure WAF protection ruleset and logging capabilities. The lab does not include advanced application security concepts and is not intended to be a reference for application security testing as these areas are broader than the use cases demonstrated herein.
This playbook demonstrates the web application protection capabilities of Azure WAF against a simulated reconnaissance (recon) attack from common, real-world, publicly available hacking and attack tools.
In this tutorial you will:
A completed Azure WAF security lab setup
Before an attacker can exploit a vulnerability, they will typically spend time researching their target web application which involves collecting application specific data and analyzing it for potential vulnerabilities. One of the methods for collecting sensitive security data to identify potential vulnerabilities in a web application is to utilize web application security vulnerability scanners. These scanners can analyze an application’s response headers to identify potential vulnerabilities. Data collected with web application vulnerability scanners can reveal potential vulnerabilities that an attacker could then test, develop, and leverage for exploitation or exfiltration. Such reconnaissance activities also allow attackers to gain a thorough understanding and complete mapping of your application for later use.
One of the first things an attacker will attempt is to try and gain extensive understanding of the application components, framework, and the potential vulnerabilities in a target web application. The quickest, most common method of doing this is to use a commercial or an open source web application vulnerability scanner (also called security scanners) to run unauthenticated/unauthorized scans against a target. In this tutorial, you will run two web application vulnerability scans against the target web application
To run the web application vulnerability scans, we will connect to the Kali VM with RDP. Once connected, we will use Nikto, a versatile, command line open source web application vulnerability scanning tool which is bundled in the Kali Linux distro. When pointed to the target web application, Nikto will scan the application for common vulnerabilities and display the scan output in the terminal window for quick review.
After the scans finish running, we can quickly review the results by looking at the highlighted lines in the figures below.
Figure 1 (Scan Start)
Figure 2 (Scan End)
! IMPORTANT: For the scenarios demonstrated in this document, OWASP Juice Shop application was running on HTTP port 3000. This is not the case when you use the Azure WAF Attack Testing Lab Deployment Template as it configures the application to run on port 80, 443 and assigns it a URL. For the lab tutorials, you will connect to the application on HTTP port 80 only. The URL for the application will be http://owaspdirect-<deployment guid>.azurewebsites.net. <deployment guid> is unique to every deployment
1 Request count for http://owaspdirect-<deployment guid>.azurewebsites.net taken from baseline of scans for comparison
Upon reviewing the Nikto scan outputs, we see the pattern as shown in the below table. This clearly indicates that when going through the Azure WAF, the scanner is not as effective in assessing the web application and identifying potential vulnerabilities.
Recon Scan Route |
No. of Issues |
No. of Items for Investigation |
Direct |
2 |
167 |
Through WAF |
0 |
3 |
Now let us use the Azure Monitor Workbook for WAF to understand how WAF handled traffic from the Nikto security scanner. This workbook visualizes security relevant WAF events across several filterable panels. It works with all WAF types, including Application Gateway, Front Door, and CDN, and can be filtered based on WAF type or a specific WAF instance.
Click here to deploy Azure Monitor Workbook for WAF to your subscription in Azure.
a. WAF actions filter
b. Top 40 Blocked Request URI addresses, filter to single URI address
c. Top 50 event trigger, filter by rule name
d. Message, full details
Rule |
count_ |
Found User-Agent associated with security scanner |
8906 |
Request Missing an Accept Header |
8906 |
GET or HEAD Request with Body Content. |
8860 |
Node-Validator Blacklist Keywords |
4553 |
SQL Injection Attack: Common Injection Testing Detected |
3354 |
Found request filename/argument associated with security scanner |
2422 |
Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link |
2418 |
Possible Remote File Inclusion (RFI) Attack: URL Payload Used w/Trailing Question Mark Character (?) |
2355 |
Detects basic SQL authentication bypass attempts 2/3 |
2249 |
Detects MySQL comments, conditions and ch(a)r injections |
2233 |
Path Traversal Attack (/../) |
1698 |
OS File Access Attempt |
699 |
Remote Command Execution: Unix Shell Code Found |
682 |
XSS Attack Detected via libinjection |
667 |
SQL Injection Attack: SQL Tautology Detected. |
641 |
Possible XSS Attack Detected - HTML Tag Handler |
616 |
XSS Filter - Category 1: Script Tag Vector |
616 |
NoScript XSS InjectionChecker: HTML Injection |
616 |
Detects classic SQL injection probings 2/3 |
455 |
Invalid character in request (non printable characters) |
342 |
Invalid character in request (null character) |
340 |
SQL Injection Attack |
272 |
Remote Command Execution: Unix Command Injection |
199 |
SQL Comment Sequence Detected. |
197 |
URL file extension is restricted by policy |
192 |
Restricted File Access Attempt |
178 |
SQL Hex Encoding Identified |
147 |
Possible Remote File Inclusion (RFI) Attack: Common RFI Vulnerable Parameter Name used w/URL Payload |
136 |
PHP Injection Attack: High-Risk PHP Function Call Found |
128 |
Using security scanners to perform web application vulnerability assessment scans to expose vulnerabilities in a target web application is a common technique used by attackers. When external adversaries can perform these scans against your web applications, they are able to learn about your application design and its vulnerabilities which could potentially lead to exploitation.
For web applications secured with it, Azure WAF can detect and protect against reconnaissance attacks executed with security scanners at the network edge, with its out of the box ruleset.
Previous: Setup an Azure WAF Attack Testing Lab |
Next: Vulnerability Exploitation Playbook |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.