This tutorial shows how to deploy and configure the lab environment to test and validate protection and detection capabilities of Azure WAF.

Tutorial: Setup an Azure WAF Security Protection and Detection Lab

The purpose of the Azure WAF security protection and detection lab tutorial is to demonstrate Azure Web Application Firewall (WAF) capabilities in identifying, detecting, and protecting against suspicious activities and potential attacks against your Web Applications.  This first tutorial in a four-part series walks you through creating a lab environment for testing against Azure WAF's protections.  This lab focuses on the OWASP protection ruleset and logging capabilities of Azure WAF.  The lab does not include advanced application security concepts and is not intended to be a reference for application security testing as these areas are broader than the use cases demonstrated herein.  For more information about each tutorial in this series, refer to the previous section, Tutorial Overview.

In this tutorial you will:

\n
1. Deploy a demo test environment in Azure
\n
2. Deploy Azure Monitor Workbook for WAF
\n
3. Enable desktop environment on Linux VM
\n
4. Create host file entries to resolve host names
\n

Prerequisites

\n
1. An Azure subscription to deploy the Azure WAF Attack Testing Lab Environment Deployment Template
   \n
   \n
   • Do not have an Azure subscription? Create a free account
   \n
   \n
\n
2. A Log Analytics workspace to send all diagnostic logs\n
   \n
   • Azure Monitor Workbook for WAF deployed to the same workspace
   \n
   \n
\n
3. Familiarity with Azure Application Gateway WAF
\n

Deployment Steps

\n
1. Click here to deploy the lab environment to your Azure subscription
\n
2. Click here to deploy the Azure Monitor Workbook for WAF to your Azure subscription
\n

\n
• Tip:  For more information, refer to the detailed deployment instructions here - Deploying Network security demo environment\n
  \n
  • Please refer to the above document for deployment instructions only and do not use the deployment template linked in it.  The deployment template used in these lab tutorials is different from the one used in the deployment instructions document
  \n
  \n
\n

Recommendations

We recommend using the Azure WAF Attack Testing Lab Environment Deployment Template as it already contains all the components needed for this lab including a customized version of the OWASP Juice Shop application.  The closer your lab is to the suggested lab setup, the easier it will be to follow the Azure WAF testing procedures.  After deployment and minimum configuration steps, you will be ready to perform actions with the suggested hacking research tools and review Azure WAF's protections against those malicious actions. 

When using the Azure WAF Attack Testing Lab Environment Deployment Template, additional resources such as VMs and Azure Front Door will be deployed.  The below diagram represents resources in the environment which are utilized in this lab.  The resources which are not used in this lab have been grayed out (VMs, Azure Front Door, DDoS Protection).

! IMPORTANT:  This environment will be used as the baseline for the remainder of this document and the tutorial

In this setup, traffic from the attacker machine (Kali VM) will be routed to the internet through the Azure Firewall.  Successful attack path is one where malicious data is sent directly by the attacker to the OWASP Juice Shop web application leading to successful exploitation.  Attack path defended by WAF represents the path where malicious data is inspected by Azure WAF (on Azure Application Gateway) and blocked with its out of the box ruleset before it reaches the web application.

You can also use a preexisting environment for this lab.  For completing these tutorials, your environment must have the following key components:

\n
1. An instance of the customized OWASP Juice Shop web application with an internet accessible endpoint
\n
2. An instance of Application Gateway with Azure WAF which publishes the OWASP Juice Shop web application to the internet
\n
3. An attacker machine (VM) with common hacking tools and internet connectivity.  We use Kali Linux as the attacker VM
\n

If manually deploying the components required for this tutorial, your complete lab setup should look as similar as possible to the following diagram:

Resources

The below table details the resources needed from all resources deployed with the Azure WAF Attack Testing Lab Environment Deployment Template. 

! IMPORTANT:  For the scenarios demonstrated in this document, OWASP Juice Shop application was running on HTTP port 3000.  This is not the case when you use the Azure WAF Attack Testing Lab Environment Deployment Template as it configures the application to run on port 80, 443 and assigns it a URL.  For the lab tutorials, you will connect to the application on HTTP port 80 only.  The URL for the application will be http://owaspdirect-<deployment guid>.azurewebsites.net.  

\n
• Tip: As it is a security best practice, we strongly recommend that you change the default lab password after deployment
\n

Configuration

Additional configuration is required on the Kali Linux VM before getting started on the lab exercises.  The Kali VM in this lab environment needs remote desktop environment installed and configured.  Please complete the steps in the order outlined below.

Updating Kali Linux and Installing Desktop Environment

\n
1. Launch PowerShell on your local machine and run the following command to connect to the Kali VM
\n

ssh svradmin@<Public IP Address of Azure Firewall> 

<Type your password when prompted to login>

\n
• Tips: \n
  \n
  • You can find the public IP of Azure Firewall in the Azure Portal under Resource Group --> SOC-NS-FW --> Public IP configuration
  \n
  • You can also use Putty client on your local machine to connect to the Kali VM
  \n
  \n
\n

\n
1. Once connected to the Kali VM with SSH, run the following command to update the Kali Linux distro
\n

sudo apt-get update

<Type your password when prompted>

\n
• Tip: \n
  \n
  • If you get an error about Kali Signatures being invalid upon running the above command, run the following commands to update the keys as root user and then run the abovementioned update command again
    
    Change user to root:  sudo su root
    Update the keys:  wget -q -O - archive.kali.org/archive-key.asc | apt-key add
  \n
  \n
\n

\n
1. Once the Kali Linux distro is updated, run the following command to install and configure the remote desktop server on the Kali VM
\n

a. sudo apt-get install -y kali-desktop-xfce xorg xrdp

b. sudo systemctl enable xrdp

c. echo xfce4-session >~/.xsession

d. sudo service xrdp restart

\n
• Tip:  For more information, refer to the step by step instructions to Install Desktop Environment on Linux VMs - Install and configure Remote Desktop to connect to a Linux VM in Azure 
\n

\n
1. Upon completing the abovementioned steps, you should be able to connect to the Kali VM over RDP on port 33892 
\n

a. Connect to the Kali VM over RDP by using the following IP address and port combination

<Public IP Address of Azure Firewall>:33892 

b. When prompted to choose the setup for the first startup, click to select “Use default config”

c. You can now close your SSH session to the Kali VM by typing “exit” in the SSH session running in PowerShell

\n
1. Create an entry in the HOSTS file on Kali VM to map a name to the Public IP address of the OWASP Juice Shop site published on Application Gateway
\n

a. Launch Terminal and run the following command

sudo nano /etc/hosts

<Type your password when prompted>

b. Create the following entry

c. Save the hosts file and exit

Use Ctrl+S to save and Ctrl+X to exit

\n
• Tip:  You can find public IP of the Application Gateway in the Azure Portal under Resource Group --> SOC-NS-AG-WAFv2 --> Frontend Public IP address
\n

Next Steps

Before proceeding to the next tutorial, take a few mins to review the following

\n
1. OWASP Juice Shop publishing rule on Application Gateway
\n
2. Web Application Firewall configuration on Application Gateway
\n
3. Test connectivity to the OWASP Juice Shop website when accessing the application directly and when going to it through the Application Gateway
\n

\n
• Tip:  You can find the public URL of the deployed Juice Shop app in the Azure Portal under Resource Group -->  owaspdirect-<guid> --> URL
\n

Note: The lab deployment template has been updated with new Operating Systems and SKUs. The Kali Linux images are running on the latest version available in the Marketplace. The Windows 10 Virtual Machines have been updated to Windows 11 and the VM SKUs have been updated to Standard D2s v3 from Standard_B2s.

Tutorial: Setup an Azure WAF Security Protection and Detection Lab

The purpose of the Azure WAF security protection and detection lab tutorial is to demonstrate Azure Web Application Firewall (WAF) capabilities in identifying, detecting, and protecting against suspicious activities and potential attacks against your Web Applications.  This first tutorial in a four-part series walks you through creating a lab environment for testing against Azure WAF's protections.  This lab focuses on the OWASP protection ruleset and logging capabilities of Azure WAF.  The lab does not include advanced application security concepts and is not intended to be a reference for application security testing as these areas are broader than the use cases demonstrated herein.  For more information about each tutorial in this series, refer to the previous section, Tutorial Overview.

In this tutorial you will:

\n
1. Deploy a demo test environment in Azure
\n
2. Deploy Azure Monitor Workbook for WAF
\n
3. Enable desktop environment on Linux VM
\n
4. Create host file entries to resolve host names
\n

Prerequisites

\n
1. An Azure subscription to deploy the Azure WAF Attack Testing Lab Environment Deployment Template
   \n
   \n
   • Do not have an Azure subscription? Create a free account
   \n
   \n
\n
2. A Log Analytics workspace to send all diagnostic logs\n
   \n
   • Azure Monitor Workbook for WAF deployed to the same workspace
   \n
   \n
\n
3. Familiarity with Azure Application Gateway WAF
\n

Deployment Steps

\n
1. Click here to deploy the lab environment to your Azure subscription
\n
2. Click here to deploy the Azure Monitor Workbook for WAF to your Azure subscription
\n

\n
• Tip:  For more information, refer to the detailed deployment instructions here - Deploying Network security demo environment\n
  \n
  • Please refer to the above document for deployment instructions only and do not use the deployment template linked in it.  The deployment template used in these lab tutorials is different from the one used in the deployment instructions document
  \n
  \n
\n

Recommendations

We recommend using the Azure WAF Attack Testing Lab Environment Deployment Template as it already contains all the components needed for this lab including a customized version of the OWASP Juice Shop application.  The closer your lab is to the suggested lab setup, the easier it will be to follow the Azure WAF testing procedures.  After deployment and minimum configuration steps, you will be ready to perform actions with the suggested hacking research tools and review Azure WAF's protections against those malicious actions. 

When using the Azure WAF Attack Testing Lab Environment Deployment Template, additional resources such as VMs and Azure Front Door will be deployed.  The below diagram represents resources in the environment which are utilized in this lab.  The resources which are not used in this lab have been grayed out (VMs, Azure Front Door, DDoS Protection).

! IMPORTANT:  This environment will be used as the baseline for the remainder of this document and the tutorial

In this setup, traffic from the attacker machine (Kali VM) will be routed to the internet through the Azure Firewall.  Successful attack path is one where malicious data is sent directly by the attacker to the OWASP Juice Shop web application leading to successful exploitation.  Attack path defended by WAF represents the path where malicious data is inspected by Azure WAF (on Azure Application Gateway) and blocked with its out of the box ruleset before it reaches the web application.

You can also use a preexisting environment for this lab.  For completing these tutorials, your environment must have the following key components:

\n
1. An instance of the customized OWASP Juice Shop web application with an internet accessible endpoint
\n
2. An instance of Application Gateway with Azure WAF which publishes the OWASP Juice Shop web application to the internet
\n
3. An attacker machine (VM) with common hacking tools and internet connectivity.  We use Kali Linux as the attacker VM
\n

If manually deploying the components required for this tutorial, your complete lab setup should look as similar as possible to the following diagram:

Resources

The below table details the resources needed from all resources deployed with the Azure WAF Attack Testing Lab Environment Deployment Template. 

! IMPORTANT:  For the scenarios demonstrated in this document, OWASP Juice Shop application was running on HTTP port 3000.  This is not the case when you use the Azure WAF Attack Testing Lab Environment Deployment Template as it configures the application to run on port 80, 443 and assigns it a URL.  For the lab tutorials, you will connect to the application on HTTP port 80 only.  The URL for the application will be http://owaspdirect-<deployment guid>.azurewebsites.net.  

\n
• Tip: As it is a security best practice, we strongly recommend that you change the default lab password after deployment
\n

Configuration

Additional configuration is required on the Kali Linux VM before getting started on the lab exercises.  The Kali VM in this lab environment needs remote desktop environment installed and configured.  Please complete the steps in the order outlined below.

Updating Kali Linux and Installing Desktop Environment

\n
1. Launch PowerShell on your local machine and run the following command to connect to the Kali VM
\n

ssh svradmin@<Public IP Address of Azure Firewall> 

<Type your password when prompted to login>

\n
• Tips: \n
  \n
  • You can find the public IP of Azure Firewall in the Azure Portal under Resource Group --> SOC-NS-FW --> Public IP configuration
  \n
  • You can also use Putty client on your local machine to connect to the Kali VM
  \n
  \n
\n

\n
1. Once connected to the Kali VM with SSH, run the following command to update the Kali Linux distro
\n

sudo apt-get update

<Type your password when prompted>

\n
• Tip: \n
  \n
  • If you get an error about Kali Signatures being invalid upon running the above command, run the following commands to update the keys as root user and then run the abovementioned update command again
    
    Change user to root:  sudo su root
    Update the keys:  wget -q -O - archive.kali.org/archive-key.asc | apt-key add
  \n
  \n
\n

\n
1. Once the Kali Linux distro is updated, run the following command to install and configure the remote desktop server on the Kali VM
\n

a. sudo apt-get install -y kali-desktop-xfce xorg xrdp

b. sudo systemctl enable xrdp

c. echo xfce4-session >~/.xsession

d. sudo service xrdp restart

\n
• Tip:  For more information, refer to the step by step instructions to Install Desktop Environment on Linux VMs - Install and configure Remote Desktop to connect to a Linux VM in Azure 
\n

\n
1. Upon completing the abovementioned steps, you should be able to connect to the Kali VM over RDP on port 33892 
\n

a. Connect to the Kali VM over RDP by using the following IP address and port combination

<Public IP Address of Azure Firewall>:33892 

b. When prompted to choose the setup for the first startup, click to select “Use default config”

c. You can now close your SSH session to the Kali VM by typing “exit” in the SSH session running in PowerShell

\n
1. Create an entry in the HOSTS file on Kali VM to map a name to the Public IP address of the OWASP Juice Shop site published on Application Gateway
\n

a. Launch Terminal and run the following command

sudo nano /etc/hosts

<Type your password when prompted>

b. Create the following entry

c. Save the hosts file and exit

Use Ctrl+S to save and Ctrl+X to exit

\n
• Tip:  You can find public IP of the Application Gateway in the Azure Portal under Resource Group --> SOC-NS-AG-WAFv2 --> Frontend Public IP address
\n

Next Steps

Before proceeding to the next tutorial, take a few mins to review the following

\n
1. OWASP Juice Shop publishing rule on Application Gateway
\n
2. Web Application Firewall configuration on Application Gateway
\n
3. Test connectivity to the OWASP Juice Shop website when accessing the application directly and when going to it through the Application Gateway
\n

\n
• Tip:  You can find the public URL of the deployed Juice Shop app in the Azure Portal under Resource Group -->  owaspdirect-<guid> --> URL
\n

Note: The lab deployment template has been updated with new Operating Systems and SKUs. The Kali Linux images are running on the latest version available in the Marketplace. The Windows 10 Virtual Machines have been updated to Windows 11 and the VM SKUs have been updated to Standard D2s v3 from Standard_B2s.

This tutorial shows how to deploy and configure the lab environment to test and validate protection and detection capabilities of Azure WAF.

Well explained, just deployed my first WAF Lab using your template!

Hi Alexandre_Leite_Lopes 

The Kali Linux image has been updated. You can use the steps listed in the blog to enable RDP on the Kali VM.

If you are using Kali Linux to learn or in a non-commercial manner, please let me know.. We (Ntegral) have a Kali Linux VM available in the Azure Marketplace.  For educators and students, we are currently providing private offers with education discounted rate.  Let me know if you are interested in using it.  It's configured to work with RDP out of the box.

Hi Alexandre_Leite_Lopes

The Kali Linux image in the template is out of date, you can currently deploy an updated image directly from marketplace and target the deployment to the Kali subnet (SPOKE1-SUBNET2).

Once the new Kali image is deployed in the same subnet, update the DNAT rules (Kali-SSH and Kali-RDP) on the firewall policy and ensure the translated IP address is the private IP address of the new Kali VM on both rules. We are working to update the template with a newer Kali Linux image.

Dean_GrossHow did you solve your error? I´ve been stuck in the same error for the last few days... Can you help me, please?

Thank you for the feedback Dean_Gross.  We have added the command to change the user to root before attempting to update the Kali keys in the document.  

After running step 3.a above, I get the following error:
Unpacking libc6:amd64 (2.33-6) over (2.28-8) ...
Setting up libc6:amd64 (2.33-6) ...
/usr/bin/perl: error while loading shared libraries: libcrypt.so.1: cannot open shared object file: No such file or directory
dpkg: error processing package libc6:amd64 (--configure):
installed libc6:amd64 package post-installation script subprocess returned error exit status 127
Errors were encountered while processing:
libc6:amd64
/usr/bin/perl: error while loading shared libraries: libcrypt.so.1: cannot open shared object file: No such file or directory

Unfortunately, I have no idea what type of consequences these have
E: Sub-process /usr/bin/dpkg returned an error code (1)
E: Problem executing scripts DPkg::Post-Invoke '[ ! -x /usr/share/kali-menu/update-kali-menu ] || /usr/share/kali-menu/update-kali-menu wait_dpkg'
E: Sub-process returned an error code

Mohit_Kumar when I tried to run the command in the Tip section, I got an error that it could only be run as root, but using the exact steps from linoRS did work

Mohit_Kumar  thanks for the quick reply, yeah hopefully it helps someone else 😉 no inconvenience caused just a little troubleshooting to make things work.

linoRS Thank you for the feedback.  We have added the command to update the Kali keys to the document.  Apologies for the inconvenience.