XSS attack on a web app
Table of Contents
- Perform Attack
- Detect Attack
- Configuration validation
- Teardown Deployment
- Perform XSS (Cross Site Scripting) attack on Web App with following configuration --> Application prevents attack using application gateway
- Application Gateway (WAF enabled-Prevention mode)
First time it takes few hours for OMS to pull logs for detection and prevention events. For subsequent requests it takes 10-15 mins to reflect in OMS.# Prerequisites Access to Azure subscription to deploy following resources 1. Application gateway (WAF enabled) 2. App Service (Web App) 3. SQL Database 4. OMS (Monitoring) # Perform Attack Attack on web app with * Application gateway - WAF - Detection mode
Go to Azure Portal --> Select Resource Groups services --> Select Resource Group --> given during deployment
Select Application Gateway with name 'appgw-detection-' as prefix.
Application Gateway WAF enabled and Firewall in Detection mode as shown below.
On Overview Page --> Copy Frontend public IP address as
Open Internet Explorer with above details as shown below
Click on Patient link and select Edit option
Application will save data in database and display it on dashboard.
Go to Log analytics --> Click on Log Search --> Type query search
AzureDiagnostics | where Message contains "xss" and action_s contains "detected"
Following details gets logged.
Update Web application firewall mode to Prevention for application gateway. This will take 5-10 mins. Hence, we will connect the application using Application Gateway (WAF- Prevention mode)
Detection after Mitigation
Execute the step 6 and 7 to perform XSS attack, Application Gateway will prevent access
To detect the prevention of attack, execute following query in Azure Log Analytics
AzureDiagnostics | where Message contains "xss" and action_s contains "blocked"
You will notice events related to detection and prevention items. First time it takes few hours for OMS to pull logs for detection and prevention events. For subsequent requests it takes 10-15 mins to reflect in OMS, so if you don't get any search results, please try again after sometime.## Configuration Validation * Cross site scripting (XSS) is a common attack vector that injects malicious code into a vulnerable web application. A successful cross site scripting attack can have devastating consequences for an online business’s reputation and its relationship with its clients. Detection and remediation can be easily done using advanced controls along with Audit and Remediation procedure in Cloudneeti.
- Cloudneeti is available on the Azure marketplace. Try out the free test drive here https://aka.ms/Cloudneeti
Run following powershell command after login to subscription to clear all the resources deployed during the demo. Specify resource group name given during deployment
Remove-AzureRmResourceGroup -Name <ResourceGroupName> -Force
Verification steps -
- Login to Azure Portal / Subscription
- Check if resource group name given during deployment is cleared.
Disclaimer & Acknowledgements
Avyan Consulting Corp conceptualized and developed the software in guidance and consultations with Microsoft Azure Security Engineering teams.
AVYAN MAKE NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. Customers reading this document bear the risk of using it. This document does not provide customers with any legal rights to any intellectual property in any AVYAN or MICROSOFT product or solutions. Customers may copy and use this document for internal reference purposes.
- Certain recommendations in this solution may result in increased data, network, or compute resource usage in Azure. The solution may increase a customer’s Azure license or subscription costs.
- The solution in this document is intended as reference samples and must not be used as-is for production purposes. Recommending that the customer’s consult with their internal SOC / Operations teams for using specific or all parts of the solutions.
- All customer names, transaction records, and any related data on this page are fictitious, created for the purpose of this architecture, and provided for illustration only. No real association or connection is intended, and none should be inferred.
Tags:Microsoft.Resources/deployments, Microsoft.OperationalInsights/workspaces, Microsoft.OperationsManagement/solutions, Microsoft.OperationalInsights/workspaces/datasources, Microsoft.Network/applicationGateways, providers/diagnosticSettings, Microsoft.Network/publicIPAddresses, Microsoft.Network/virtualNetworks, Microsoft.Sql/servers/auditingSettings, Microsoft.Sql/servers/databases, extensions, Microsoft.Sql/servers/securityAlertPolicies, Microsoft.Sql/servers, firewallRules, Microsoft.Storage/storageAccounts, SystemAssigned, Microsoft.Web/serverfarms, Microsoft.Web/sites/config, [parameters('connectionType')], Microsoft.Web/sites/extensions, Microsoft.Web/sites