ASC Playbook: Protect Servers with Web App Firewall

Version 1.0 Final

Author

Andrew Harris

Sr Program Manager

C+E Security CxP

@ciberesponce

Contributed by

Marie Groover

Program Manager

C+E Security CxP

@mariegroover

Azure Security Center (ASC)

Playbook: Web App Firewall

Azure Security Center (ASC) Playbook: Web App Firewall

2

Introduction The Internet is riddled with hacker tools that make the lives of cybersecurity team miserable.

SQL injection attacks are peer among the OWASP Top 10 threats. Microsoft’s Azure Security

Center (ASC) addresses these threats through awareness of common routable ports available on

cloud-based virtual machines (VMs). Based on this awareness, ASC takes the routable endpoints,

paired with the context of your subscription and makes applicable recommendations,

automating the configuration and implementation of its recommendations. This playbook

demonstrates these practices via a series of hands-on exercise.

In this exercise, we will:

• Highlight the prevalence of open source software (OSS) attack tools

• Demonstrate how these tools automate attacks—using SQL injection as an example

• Demonstrate how ASC identifies risk—specifically web resources not behind a Web

Application Firewall (WAF)

• Demonstrate how ASC actions bring a resource to its recommended security state

• Demonstrate how ASC detects and protects against these attacks

Target Audience

This document is for IT and Security Professionals interested in a deep technical dive into how

Azure Security Center (ASC) addresses SQL injection threats. Use this document as either a

hands-on guide or as a whitepaper to present ASC techniques in protecting against SQL

injection attacks.

Resources First, we need a lab environment. We will use the following tools:

Tool Purpose Link

“Damn Vulnerable Web

App” (DVWA) – an OSS

tool

Purposeful vulnerable

application

http://www.dvwa.co.uk/

Bash on Ubuntu on

Windows 10

A Linux subsystem in

Windows to quickly leverage

the ‘sqlmap’ tool

https://msdn.microsoft.com/en-

us/commandline/wsl/about

sqlmap An open-source SQL injection

tool with powerful

automation

http://sqlmap.org/

Chrome Browser (or

Edge, Firefox)

To browse DVWA as well as

capture request-headers

needed by sqlmap

Azure Security Center (ASC) Playbook: Web App Firewall

3

Bash on Ubuntu on Windows 10

Windows 10 Anniversary Edition (Build1607) provides the ability to install Bash on Ubuntu in a

secure Linux subsystem. In this playbook, we’ve leveraged this capability. You may use an

alternate favorite Linux distribution.

sqlmap

Now that we have the “Bash on Ubuntu on Windows 10” environment, let’s do a quick “sudo

apt-get install sqlmap” command:

Figure 1: Install "sqlmap" in the Bash on Ubuntu Environment

This will install sqlmap and all its dependencies.

“Damn Vulnerable Web App” – an OSS Testing Tool

Install and configure the DVWA on an Azure virtual machine (VM) running Ubuntu. Follow the

instructions on DVWA’s site to set this up. When properly configured, the Azure VM Database

Setup page should look like this:

Azure Security Center (ASC) Playbook: Web App Firewall

4

Figure 2: DVWA Setup

Pressing the Create/Reset Database button will create the database and add dummy data for

lab purposes.

Add the endpoint in the Azure settings to ensure that the HTTP/apache service is reachable. In

our example, we show Ubuntu with 2 ports open:

1. SSH

2. HTTP

Executing the Attack

High Level Architecture – Without a WAF

Here, we will perform the SQL injection attack directly against the DVWA hosted in Azure.

Azure Security Center (ASC) Playbook: Web App Firewall

5

Figure 3: Architecture Pre ASC-WAF

Recommended Paperwork

Before starting a security test on an Azure resource, we recommend you complete the Azure

Penetration Testing form.

Configure DVWA

Now, set the security on the DVWA to “Low” as seen below:

Figure 4: Set the security to "Low"

Request Headers For sqlmap

The sqlmap tool needs a cookie to authenticate using a browser with developer tools:

1. Go to the DVWA URL and then click the SQL Injection tab

2. Press F12 (hotkey in Edge/IE and Chrome for “Developer Tools”), open the Developer

Tools pane, then select the Network

3. In the DVWA site, type “123” then click the submit button

Azure Security Center (ASC) Playbook: Web App Firewall

6

4. Navigate back to the Network tab of the Developer tools, right click the captured

request, and copy the respective request headers. We will need this for our sqlmap tool:

Figure 5: Capture the request headers in Chrome

Paste this information into the Notepad app and save the file to your Desktop folder. In the

Ubuntu Subsystem, navigate to the location of the Desktop and locate the file:

Figure 6: Save the request headers in the user's Ubuntu subsystem's home directory.

Note that “/mnt/c/Users/{username}” is where the Windows User’s filesystem is located.

Great! Now it is time to pass this file to sqlmap.

sqlmap Discovery

Let’s use SQL injection attacks to discover the databases. Run the following command as

depicted below:

Azure Security Center (ASC) Playbook: Web App Firewall

7

Figure 7: sqlmap to crack passwords

Discover the tables in the “dvwa” database:

Figure 8: Traverse the tables in the "dvwa" database

sqlmap Users Dump

Dump the users in the database:

Azure Security Center (ASC) Playbook: Web App Firewall

8

Figure 9: Dump users and hashed passwords... then brute force those hashes (all built into the sqlmap tool)

You can see why this is a problem and why it is extremely important to take SQL injection

attacks seriously. From a defense-in-depth perspective, any business should quickly discover

Web and SQL servers and secure them behind a Web Application Firewall (WAF).

Azure Security Center – Web Application Firewall (WAF) Azure Security Center (ASC) can help identify these resources which have a HTTP endpoint.

Additionally, ASC can automate the deployment of a WAF resource for protection, while

showing detected malicious SQL injection attempts.

ASC provides a comprehensive list of security recommendations. In this example, we are focused

on the Web Application Firewall recommendation.

Azure Security Center (ASC) Playbook: Web App Firewall

9

Figure 10: Azure Security Center (ASC) shows Recommendations. Here it is suggesting to add a Web Application Firewall

Figure 11: Here we see all the resources where ASC recommends we add a WAF

High Level Architecture – With WAF

Once we follow ASC’s recommendations for remediation, the architecture will look like this:

Azure Security Center (ASC) Playbook: Web App Firewall

10

Figure 12: Architecture Post ASC-WAF

ASC will configure HTTP/HTTPS traffic to be routed through the WAF. Per the Network Security

Group (NSG) Policy, HTTP/HTTPS traffic will only be routable to DVWA from the WAF.

Deploy Microsoft Application Gateway in Detection Mode

When we click on the resource we want to resolve, we can see the recently announced Microsoft

Application Gateway (WAG) that includes Web Application Firewall (WAF) capabilities. A single

instance of WAF support multiple VMs.

Figure 13: The Microsoft Application Gateway includes Web Application Firewall Capabilities

ASC will walk you through configuring the WAG:

Azure Security Center (ASC) Playbook: Web App Firewall

11

Figure 14: Configure the WAF/WAG

Once its deployed, ASC adds a recommendation to Finalize application protection. This will

force traffic to our vulnerable VM to be routed through the WAF.

Figure 15: Finalizing application protection by putting applications 'behind' the virtual appliance

ASC offers guidance through the WAF Solution Console. From there, we follow the Microsoft

Azure documentation for creating an application gateway with web application firewall to

configure the WAF with our DVWA Virtual Machine. Ensure all VM bound HTTP/HTTPS traffic are

routed through the WAF – this is configured using Network Security Group (NSG) policies.

Azure Security Center (ASC) Playbook: Web App Firewall

12

Finally, we enable diagnostics on the WAG in order to detect SQL injection in Microsoft

Operations Management Suite (OMS).

Our once vulnerable server is now behind the WAF, and our WAF is integrated into our Log

Analytics workspace. Let's try the SQL injection attacks again with the WAF configured to

“Detect” mode.

We perform the SQL injection procedure again. Instead of a successful injection, detected

events are captured in Azure Security Center logs:

Figure 16: ASC shows WAF detections

We can drill into these events by clicking on them for additional context:

Azure Security Center (ASC) Playbook: Web App Firewall

13

Figure 17: ASC brings security alerts to the forefront

For deeper insight, we can go to the logs themselves. Within Log Analytics we can query these

WAF alerts, specifically the OWASP rules:

Figure 18: Use Log Analytics to drill deep into the raw events collected by your security appliances

Prevention

Now let’s configure the WAF to “Prevention” mode (for more information on configuring the

WAF, refer here):

Azure Security Center (ASC) Playbook: Web App Firewall

14

Figure 19: WAG's WAF settings are highly customizable, including options to Detect and Prevent

With this new setting in place, let’s see what happens when we perform the same SQL injection

attacks.

Figure 20: The WAF in "prevention" mode drastically changed our results--so much we can't even enumerate the SQL

version!

Azure Security Center (ASC) Playbook: Web App Firewall

15

Remember, the web application is still 100% vulnerable. We made no changes to the

configurations of the web application, but simply secured it behind a WAF in prevention mode.

Using ASC has successfully prevented sqlmap from discovering the database and its contents.

Back in our ASC dashboard, we can see the newly detected activity as well as the activity getting

blocked.

Figure 21: ASC detects and blocks suspiscious activity

Azure Security Center (ASC) Playbook: Web App Firewall

16

Conclusion In this exercise we illustrated how SQL injection is used as a technique to write unintended

instructions or data into databases.

Using Azure Security Center (ASC), we were able to view our Subscriptions’ recommendations

around Internet-facing HTTP endpoints.

Figure 22: ASC recommendations based on endpoints

We followed those recommendations and deployed a new Web Application Firewall. We

detected and then prevented the same SQL injection techniques that previously allowed us to

steal usernames and hashed passwords.

Finally, we leveraged ASC to show us what malicious activity it detected and blocked.

Figure 23: ASC Dashboard, showing recommendations

Have questions? Email us at AskCESec@microsoft.com