Azure WAF

Editor's Notes

1. "Azure Web Application Firewall (WAF) is natively integrated and platform managed service that provides protection for your web applications from common exploits and vulnerabilities. Web applications are increasingly the targets of varied types attacks such as malicious bots, SQL injection attacks, and cross-site scripting attacks which can result in website site sabotages, exfiltration of sensitive data and application unavailability. Preventing such attacks in application code can be challenging and may require rigorous maintenance, patching, and monitoring at multiple layers of the application topology. A centralized web application firewall helps make security management much simpler and gives better assurance to application administrators against threats or intrusions. In addition, a WAF solution can react to a security threat faster by patching a known vulnerability at a central location, instead of securing each individual web application."
2. Expensive: The current hardware WAF in the security industry is too expensive for small and medium-sized enterprises, which can easily cost hundreds of thousands or even millions. There is a certain manslaughter: Because the hardware WAF recognizes abnormal traffic through the attack rule library, in the case of a complex business system, there may be a manslaughter that causes normal functions to be intercepted by the firewall and affects normal business. There is a certain chance of bypassing: the hardware firewall parses the HTTP protocol by itself, which may be inconsistent with the Web server's understanding of the HTTP request, leading to bypassing.
3. Simple deployment and low maintenance cost: This is also the most valuable and popular point of cloud WAF. There is no need to install any software or deploy any hardware devices. You only need to modify the DNS to deploy the website within the protection range of cloud WAF. Users do not need to update: Cloud WAF protection rules are all in the cloud. When new vulnerabilities break out, the cloud is responsible for the update and maintenance of the rules, and users do not need to worry about new types of vulnerability attacks due to negligence. Can act as a CDN: Cloud WAF not only provides protection functions, but also has CDN functions. While protecting, it can also increase the speed of website access. CDN dynamically loads static resources to For cloud nodes across the country, when users access a certain resource, they will be directed to the nearest cloud node to increase access speed.
4. Azure WAF is more than just defending the http access of the Web, it provides a full range of stereoscopic protection for Web applications. Precautions can be taken against: A common command injection attack that exploits a Web vulnerability to inject commands containing an operating system or software platform into a Web page access statement to steal data or control of a back-end server SQL injection, find data query statement vulnerabilities, query code through the database to steal or modify the data in the database Cross-site scripting attacks, using website vulnerabilities to attack users who visit the site, user landing or authentication information; Various HTTP protocol attacks, using http protocol vulnerabilities to attack; Robots, reptiles and scans, through robots, reptiles, and scanning tools to automatically crawl website data and automate attacks on websites; Common application configuration errors (e.g. Apache, IIS, etc.), exploit configuration vulnerabilities in Web publishers, or attack known bugs HTTPS attacks, using SSL encryption packets to bypass network firewalls and ordinary WAF attacks;
5. For testing the WAFs, we have collected several of real-world attacks and evasions. We are launching these attacks over HTTP against a custom web server that keeps track of requests that have passed the WAF. The test case collection contains the following groups used for reporting the results (explanations adapted from owasp.org): Command execution. Commands injected into an application through input can be used to compromise a system. Server-Side Includes (SSI) Injection. SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. SQL Injection. The attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. Path Traversal. A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. Malformed XML Documents. Malformed documents can be used to consume resources or inject malicious commands. Cross Site Scripting (XSS). Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected from a malicious website into otherwise benign and trusted websites via a web browser. This collection of tests represents typical attacks that are targeted against websites. The intention of the test cases is not to represent business logic weaknesses or any other vulnerabilities where specific application logic would be exploited to a malicious end.
6. Go to Azure Portal, Click "Create a resource", search for "WAF" and select "Web Application Firewall", click "Create".
7. Azure WAF can be integrated with Front Door, Application Gateway and Azure CDN. I will use Front Door in my case, just give it a policy name. 
8. Set mode to prevent, that is, intercept mode, which can prevent the hacker attack. The detection mode will only record logs, and allow attacks to pass through, pretending not seeing them. Leave Block response body as empty, or set a "friendly greeting" to the hacker.
9. Several commonly used firewall rules provided by Microsoft are listed in Managed rules, and you can check the ones you need. It covers common SQL injection, XSS, Windows and Linux remote command execution, PHP injection, malicious robots, etc. Imagine, if there is no WAF, how much time would it take to write code to fully defend against these attacks? With Azure, you only need to click mouse a few times to complete the configuration.
10. Custom rules allow us to set custom firewall rules not provided by Microsoft. We will introduce it later. These rules along with Managed rules can be changed after the WAF is created. Since this WAF policy is set to Front Door in the first step, we need to associate it with the domain name in Front Door. Finally, click Review + Create to complete the WAF creation. If the Front Door is successfully associated, wait about 5 minutes for the WAF to take effect.
11. Azure WAF allows users to customize firewall rules very flexibly. For example, my blog is not written in PHP, so the request for .php is often a hacker scanning tool. I want to block .php requests. Then I can add a custom rule to find the request whose URL ends in .php and block it. As for the scanning tool for hackers, I didn't make up a fake one. I can show you a practical case. From this website, it was frequently scanned by hacker tools. After using Azure, Application Insight was able to detect this large number of 404 requests in a short time:
12. I found that almost all failures during this period are 404. In fact, the website can be accessed normally during this time.
13. Drill into the report, I can find that these 404 requests are hacker tools trying to common PHP system vulnerabilities.
14. And also a few SQL injection attempts:
15. In fact, the managed rules of Azure WAF can prevent most of these scans, but if you want to implement custom rules, you can, for example, block all .php requests. Enter Azure WAF, Custom rules, and add a custom rule.
16. Specify a name, such as BlockPHPExtension, and set the Rule type to Match
17. To match all requests ending in .php, we can set the rule as follows.
18. After saving the rules, wait about 5 minutes and try to access the URL ending in .php. It will result in a 403 error.
19. The response header also indicates it is blocked by Azure WAF with a x-azure-ref header, which can be used to investigate the firewall log. 
20. This Custom rules also supports multiple condition combinations. For example, blocking or only allowing requests from certain countries and regions, blocking a large number of requests in a short time (Rate limit), blocking large data requests (Size), and so on.