Unableto do Prenetration testing on our AZure hosted Web app,

Question

Unableto do Prenetration testing on our AZure hosted Web app,

chitra manju 60

We are currently in the process of conducting a Vulnerability Assessment and Penetration Testing (VAPT) on our web application which is hosted in Azure .

However, we have encountered an issue where our vendor's VAPT scanning tool is unable to access our application’s login page and perform the necessary tests.

Our network security team has already confirmed that inbound and outbound traffic has been allowed for the IP addresses of the testing tool. Despite this, the scanning tool continues to face access issues.

We have reviewed our NSG and other rules too .

We would like to ask if there are any inbuilt features or security measures within Azure that could potentially block or restrict the usage of VAPT tools on our web application. Specifically, we are concerned about any network-level protections, firewall rules, or other security mechanisms that may be preventing the tool from completing the scan.

Any insights or recommendations you could provide would be greatly appreciated to help us proceed with the VAPT testing

Accepted answer

1 additional answer

Your answer

Answer 1

Hi @chitra manju
Welcome to MS Q&A
Addition of Deepanshu response ,
You do not need to seek permission from Microsoft to conduct penetration testing on your Azure resources, as pre-approval is no longer required. However, compliance with the Microsoft Cloud Unified Penetration Testing Rules of Engagement is mandatory. If you encounter issues with your penetration testing tools, it is advisable to contact your Azure account manager for assistance or clarification regarding your specific setup and any potential restrictions.

To contact your Azure account manager, you can do so through the Azure portal or by using the support options provided by Microsoft. Look for the "Help + support" section in the Azure portal where you can create a support request or find contact information for your account manager.
Penetration testing

Develop secure applications on Azure

Azure guidance for secure isolation
Let me know if you have any further assistances.
If the answer is helpful, please click Accept Answer and kindly upvote it so that other people who faces similar issue may get benefitted from it.

Answer 2

Deepanshu katara 16,720 MVP Moderator

Hello Chitra, Welcome to MS Q&A

To address the issue where your VAPT scanning tool is unable to access your application's login page, you might want to consider the following steps:

Web Application Firewall (WAF) Settings: If you have a Web Application Firewall (WAF) in place, verify that it is not blocking the requests from the VAPT tool. You may need to whitelist the IP addresses of the tool.
Application Gateway or Load Balancer: If your application or webapp is behind an Application Gateway or Load Balancer, ensure that the configuration allows traffic from the VAPT tool.
Authentication and Access Control: Ensure that there are no authentication or access control mechanisms that might be preventing the tool from accessing the login page. This could include IP restrictions in azure webapps.

Please try this and let us know

If you have any further questions , please let us know

Kindly accept if it works

Thanks
Deepanshu

chitra manju 60 Reputation points

2025-01-24T11:50:06.49+00:00

we have checked all of them ,WAF is disabled .

We are not using application gate way.

Load balancer is not blocking any port or IP .

IP addresses of the tool have been whitelisted .

There is no other authentication mechanisn in place .

Yet ,our VAPT vendor is unbale to use their HCL app scanner tool for our VAPT on azure hosted web app. Our application page itself doesnt load with their tool.

Please guide.
chitra manju 60 Reputation points

2025-01-24T13:24:06.3633333+00:00

Thanks for the response Deepanshu ,

But we have checked all of the options you have mentioned.

WAF is disabled.

We are not using any applicatio ngatway .

Load balancer is not blocking any port or IP.

IP addresses of the VAPT tool have been whitelsited .

There are no authentication mechanism in place .

Yet ,the VAPT tool HCL app scanner cannot even load our application.

Please guide.
Deepanshu katara 16,720 Reputation points MVP Moderator

2025-01-24T13:29:19.29+00:00

Did you checked Azure App Service access restrictions ? , pls check once https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions?tabs=azurecli
chitra manju 60 Reputation points

2025-01-25T15:56:17.9433333+00:00

Thanks Deepanshu , But we are not using app services and all the other restrictions mentioned on the link have already been checked.Please let me know if we need to write to our Azure acnt manager to seek permission for penetration testing on our cloud hosted app.
chitra manju 60 Reputation points

2025-01-27T05:18:12.8833333+00:00

Hello Deepanshu ,

How to reach out to our Azure Account manager to taek persmision for having VAPT tet for our Azure hosted applications .

Please could you guide.

As we are wanting VAPT to be done for our Azure hosted applications and the tools are not able to penetrate our applications despite of no firewall enabled .
chitra manju 60 Reputation points

2025-01-30T07:20:59.82+00:00

thanks Hima for the information . It was very helpful .

I will reach out to our account manager
Shree Hima Bindu Maganti 4,925 Reputation points Microsoft External Staff Moderator

2025-01-30T07:31:22.9866667+00:00

Hi @chitra manju ,
If the answer is helpful, please click Accept Answer and kindly upvote it so that other people who faces similar issue may get benefitted from it.

Share via

Unableto do Prenetration testing on our AZure hosted Web app,

1 additional answer

Your answer