Azure WAF to protect your Web Application
Azure WAF is part of Azure Application Gateway and provides centralized protection of your web applications from common exploits and vulnerabilities.
I found that one simple and quick way to familiarise with Azure WAF is to use the Damn Vulnerable Web Application (DVWA)
This is a step by step demo guide to showcase the Azure Application Gateway WAF
This document will give you all the details you need to demo the WAF capabilities of an Azure Application Gateway and the Application Gateway Analytics Logs to review the WAF detention logs
The demo can be run from a windows or linux VM on your Azure subscription, fronted by an Application Gateway with WAF enabled and default OWASP 3.0 ruleset.
We will use the DVWA (Damn Vulnerable Web Application). This can be installed on a windows or linux VM. The following is for an ubuntu 16 image from the azure marketplace
As minimum you will need a VM running DWA, your local machine with a browser, an Azure Application Gateway and a Azure Log Analytics with Application Gateway analytics module installed
To enable Application Gateway analytics follow this guide: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-azure-networking-analytics
For general info about Azure WAF: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-web-application-firewall-overview
To install DVWA on an ubuntu VM follow these steps:https://blogs.technet.microsoft.com/positivesecurity/2017/06/01/setting-up-damn-vulnerable-web-app-dvwa-on-ubuntu-in-azure/
More information about DVWA: http://www.dvwa.co.uk/
Default username and password to access DVWA are admin/password
If any of the tests are not working or the DVWA is giving unusual responses then the first action is to enter the “Setup” menu and reset the MySQL database.
The best way to demo the WAF capabilities is to run the tests against the Fronted Public IP address on the App Gateway. The gateway will have WAF enabled as detection (or transparent mode) so the following vulnerabilities will succeed against DVWA but you can log into Application Gateway Analytics and show that Azure WAF is detecting these attacks and if it was enabled in prevention mode (or blocking mode) it would block
TEST CASE 1: COMMAND INJECTION
This shows remote code injection
Going to Log Analytics, Azure Diagnostics, Rule set OWASP and blocked
When WAF is on detection mode, look for ‘Warning, detected …’
TEST CASE 2: SQL INJECTION
SQL Injection vulnerability
Command = %' or 1='1
TEST CASE 3: XSS REFLECTED
Cross Site Scripting vulnerability