azure security center (asc) playbook: web app firewall · web and sql servers and secure them...
TRANSCRIPT
ASC Playbook: Protect Servers with Web App Firewall
Version 1.0 Final
Author
Andrew Harris
Sr Program Manager
C+E Security CxP
@ciberesponce
Contributed by
Marie Groover
Program Manager
C+E Security CxP
@mariegroover
Azure Security Center (ASC)
Playbook: Web App Firewall
Azure Security Center (ASC) Playbook: Web App Firewall
2
Introduction The Internet is riddled with hacker tools that make the lives of cybersecurity team miserable.
SQL injection attacks are peer among the OWASP Top 10 threats. Microsoft’s Azure Security
Center (ASC) addresses these threats through awareness of common routable ports available on
cloud-based virtual machines (VMs). Based on this awareness, ASC takes the routable endpoints,
paired with the context of your subscription and makes applicable recommendations,
automating the configuration and implementation of its recommendations. This playbook
demonstrates these practices via a series of hands-on exercise.
In this exercise, we will:
• Highlight the prevalence of open source software (OSS) attack tools
• Demonstrate how these tools automate attacks—using SQL injection as an example
• Demonstrate how ASC identifies risk—specifically web resources not behind a Web
Application Firewall (WAF)
• Demonstrate how ASC actions bring a resource to its recommended security state
• Demonstrate how ASC detects and protects against these attacks
Target Audience
This document is for IT and Security Professionals interested in a deep technical dive into how
Azure Security Center (ASC) addresses SQL injection threats. Use this document as either a
hands-on guide or as a whitepaper to present ASC techniques in protecting against SQL
injection attacks.
Resources First, we need a lab environment. We will use the following tools:
Tool Purpose Link
“Damn Vulnerable Web
App” (DVWA) – an OSS
tool
Purposeful vulnerable
application
http://www.dvwa.co.uk/
Bash on Ubuntu on
Windows 10
A Linux subsystem in
Windows to quickly leverage
the ‘sqlmap’ tool
https://msdn.microsoft.com/en-
us/commandline/wsl/about
sqlmap An open-source SQL injection
tool with powerful
automation
http://sqlmap.org/
Chrome Browser (or
Edge, Firefox)
To browse DVWA as well as
capture request-headers
needed by sqlmap
Azure Security Center (ASC) Playbook: Web App Firewall
3
Bash on Ubuntu on Windows 10
Windows 10 Anniversary Edition (Build1607) provides the ability to install Bash on Ubuntu in a
secure Linux subsystem. In this playbook, we’ve leveraged this capability. You may use an
alternate favorite Linux distribution.
sqlmap
Now that we have the “Bash on Ubuntu on Windows 10” environment, let’s do a quick “sudo
apt-get install sqlmap” command:
Figure 1: Install "sqlmap" in the Bash on Ubuntu Environment
This will install sqlmap and all its dependencies.
“Damn Vulnerable Web App” – an OSS Testing Tool
Install and configure the DVWA on an Azure virtual machine (VM) running Ubuntu. Follow the
instructions on DVWA’s site to set this up. When properly configured, the Azure VM Database
Setup page should look like this:
Azure Security Center (ASC) Playbook: Web App Firewall
4
Figure 2: DVWA Setup
Pressing the Create/Reset Database button will create the database and add dummy data for
lab purposes.
Add the endpoint in the Azure settings to ensure that the HTTP/apache service is reachable. In
our example, we show Ubuntu with 2 ports open:
1. SSH
2. HTTP
Executing the Attack
High Level Architecture – Without a WAF
Here, we will perform the SQL injection attack directly against the DVWA hosted in Azure.
Azure Security Center (ASC) Playbook: Web App Firewall
5
Figure 3: Architecture Pre ASC-WAF
Recommended Paperwork
Before starting a security test on an Azure resource, we recommend you complete the Azure
Penetration Testing form.
Configure DVWA
Now, set the security on the DVWA to “Low” as seen below:
Figure 4: Set the security to "Low"
Request Headers For sqlmap
The sqlmap tool needs a cookie to authenticate using a browser with developer tools:
1. Go to the DVWA URL and then click the SQL Injection tab
2. Press F12 (hotkey in Edge/IE and Chrome for “Developer Tools”), open the Developer
Tools pane, then select the Network
3. In the DVWA site, type “123” then click the submit button
Azure Security Center (ASC) Playbook: Web App Firewall
6
4. Navigate back to the Network tab of the Developer tools, right click the captured
request, and copy the respective request headers. We will need this for our sqlmap tool:
Figure 5: Capture the request headers in Chrome
Paste this information into the Notepad app and save the file to your Desktop folder. In the
Ubuntu Subsystem, navigate to the location of the Desktop and locate the file:
Figure 6: Save the request headers in the user's Ubuntu subsystem's home directory.
Note that “/mnt/c/Users/{username}” is where the Windows User’s filesystem is located.
Great! Now it is time to pass this file to sqlmap.
sqlmap Discovery
Let’s use SQL injection attacks to discover the databases. Run the following command as
depicted below:
Azure Security Center (ASC) Playbook: Web App Firewall
7
Figure 7: sqlmap to crack passwords
Discover the tables in the “dvwa” database:
Figure 8: Traverse the tables in the "dvwa" database
sqlmap Users Dump
Dump the users in the database:
Azure Security Center (ASC) Playbook: Web App Firewall
8
Figure 9: Dump users and hashed passwords... then brute force those hashes (all built into the sqlmap tool)
You can see why this is a problem and why it is extremely important to take SQL injection
attacks seriously. From a defense-in-depth perspective, any business should quickly discover
Web and SQL servers and secure them behind a Web Application Firewall (WAF).
Azure Security Center – Web Application Firewall (WAF) Azure Security Center (ASC) can help identify these resources which have a HTTP endpoint.
Additionally, ASC can automate the deployment of a WAF resource for protection, while
showing detected malicious SQL injection attempts.
ASC provides a comprehensive list of security recommendations. In this example, we are focused
on the Web Application Firewall recommendation.
Azure Security Center (ASC) Playbook: Web App Firewall
9
Figure 10: Azure Security Center (ASC) shows Recommendations. Here it is suggesting to add a Web Application Firewall
Figure 11: Here we see all the resources where ASC recommends we add a WAF
High Level Architecture – With WAF
Once we follow ASC’s recommendations for remediation, the architecture will look like this:
Azure Security Center (ASC) Playbook: Web App Firewall
10
Figure 12: Architecture Post ASC-WAF
ASC will configure HTTP/HTTPS traffic to be routed through the WAF. Per the Network Security
Group (NSG) Policy, HTTP/HTTPS traffic will only be routable to DVWA from the WAF.
Deploy Microsoft Application Gateway in Detection Mode
When we click on the resource we want to resolve, we can see the recently announced Microsoft
Application Gateway (WAG) that includes Web Application Firewall (WAF) capabilities. A single
instance of WAF support multiple VMs.
Figure 13: The Microsoft Application Gateway includes Web Application Firewall Capabilities
ASC will walk you through configuring the WAG:
Azure Security Center (ASC) Playbook: Web App Firewall
11
Figure 14: Configure the WAF/WAG
Once its deployed, ASC adds a recommendation to Finalize application protection. This will
force traffic to our vulnerable VM to be routed through the WAF.
Figure 15: Finalizing application protection by putting applications 'behind' the virtual appliance
ASC offers guidance through the WAF Solution Console. From there, we follow the Microsoft
Azure documentation for creating an application gateway with web application firewall to
configure the WAF with our DVWA Virtual Machine. Ensure all VM bound HTTP/HTTPS traffic are
routed through the WAF – this is configured using Network Security Group (NSG) policies.
Azure Security Center (ASC) Playbook: Web App Firewall
12
Finally, we enable diagnostics on the WAG in order to detect SQL injection in Microsoft
Operations Management Suite (OMS).
Our once vulnerable server is now behind the WAF, and our WAF is integrated into our Log
Analytics workspace. Let's try the SQL injection attacks again with the WAF configured to
“Detect” mode.
We perform the SQL injection procedure again. Instead of a successful injection, detected
events are captured in Azure Security Center logs:
Figure 16: ASC shows WAF detections
We can drill into these events by clicking on them for additional context:
Azure Security Center (ASC) Playbook: Web App Firewall
13
Figure 17: ASC brings security alerts to the forefront
For deeper insight, we can go to the logs themselves. Within Log Analytics we can query these
WAF alerts, specifically the OWASP rules:
Figure 18: Use Log Analytics to drill deep into the raw events collected by your security appliances
Prevention
Now let’s configure the WAF to “Prevention” mode (for more information on configuring the
WAF, refer here):
Azure Security Center (ASC) Playbook: Web App Firewall
14
Figure 19: WAG's WAF settings are highly customizable, including options to Detect and Prevent
With this new setting in place, let’s see what happens when we perform the same SQL injection
attacks.
Figure 20: The WAF in "prevention" mode drastically changed our results--so much we can't even enumerate the SQL
version!
Azure Security Center (ASC) Playbook: Web App Firewall
15
Remember, the web application is still 100% vulnerable. We made no changes to the
configurations of the web application, but simply secured it behind a WAF in prevention mode.
Using ASC has successfully prevented sqlmap from discovering the database and its contents.
Back in our ASC dashboard, we can see the newly detected activity as well as the activity getting
blocked.
Figure 21: ASC detects and blocks suspiscious activity
Azure Security Center (ASC) Playbook: Web App Firewall
16
Conclusion In this exercise we illustrated how SQL injection is used as a technique to write unintended
instructions or data into databases.
Using Azure Security Center (ASC), we were able to view our Subscriptions’ recommendations
around Internet-facing HTTP endpoints.
Figure 22: ASC recommendations based on endpoints
We followed those recommendations and deployed a new Web Application Firewall. We
detected and then prevented the same SQL injection techniques that previously allowed us to
steal usernames and hashed passwords.
Finally, we leveraged ASC to show us what malicious activity it detected and blocked.
Figure 23: ASC Dashboard, showing recommendations
Have questions? Email us at [email protected]