Share via

WAF is not blocking attacks.

Doležal Vojtěch (219303) 1 Reputation point
2022-04-29T13:59:28.303+00:00

Hi,
i have an issue with WAF. It is based on Front Door and protecting webapp (JuiceShop). The issue is that attacks it should block, can be done. I am using DefaultRuleSet_1.0 and Microsoft_BotManagerRuleSet_1.0. WAF is turned on, set to prevention. Rules are turned on and everything is connected together. (Some attacks are blocked).
For an example:
xss in customer feedback. It should be blocked, but it can be done.
197794-image.png

Second example is admin login. Again the same issue.
197778-image.png

Based on Microsoft documentation this attacks should be blocked and I don't know why they are not.
Sorry for my english and low knowledge. This is my first security project in Azure.

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
851 questions
Azure Web Application Firewall
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ChaitanyaNaykodi-MSFT 27,476 Reputation points Microsoft Employee Moderator
    2022-05-02T19:31:23.197+00:00

    Hello @Doležal Vojtěch (219303) , Welcome to the Microsoft Q&A forum.

    As I understand from the question you have a JuiceShop Web application behind a WAF enabled Azure Front Door in prevention mode. As observed by you some of the attacks are not blocked by the WAF. From the screenshots shared above WAF does offer protection against Java attacks, SQL injection etc. and these requests should have been blocked. You have also mentioned that some of the attacks are blocked by the WAF, so this means there are no configuration errors.

    Based on the observations above, I think this issue might be due use of web sockets by the JuiceShop Web application app. As WebSockets are not supported by WAF on Azure Front Door and the issue observed by you is synonymous with the that. Can you please validate if the backend application is utilizing web sockets? You can also use diagnostic logging to understand if requests are getting blocked.

    Hope this helps! Please let me know if you have any additional questions, I will be glad to continue with our discussion. Thank you!

    0 comments
  2. Cihan MOROVA 1 Reputation point
    2022-10-27T20:46:33.55+00:00

    Hi, @Doležal Vojtěch (219303)

    Let's seperate this issue two parts. First one how did you deployed your WebApp? (docker, kubernetes, or running node js on ubuntu).

    I am going to try to explain my findings about it. I've experienced two different deployment methodoligies at two different WAAP solutions.

    Scenario 1: There is juiceShop application running on docker (configured as ngnix reverse proxy and nanoagent on the webapp machine)

    Port 80: Protected by Check Point CloudGuard AppSec
    Port 3000: Direct to JuiceShop (unprotected)

    I've prevented similar XSS attack strings you have shared as an attachment by CloudGuard AppSec solution.

    Scenario 2: There is juiceshop application running with nodejs on Ubuntu. Port 3000: Protected by Azure Front Door

    I've blocked second attack you sent in as an attachment on Azure Front Door environment.
    https://i.imgur.com/0ualb0h.png

    I've applied similar WAF security policies both.

    My second question is about your configuration. Could you provide us some configuration details. Which is the port your web applictation using? 3000 ?

    If we can clarify those we will get it closer to solution.

    As a result; I saw some attacks was prevented by CloudGuard AppSec solution but some attacks are not prevented. That's the same issue applies for Azure Front Door.

    HTH

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.