In setting up an application with appliances that provide protections from cyber threats, it is always necessary to have penetration testing and monitoring throughout the solution’s lifecycle management. I will demonstrate the following scenario:
- Protect your web app using Azure Application Gateway’s Web Application Firewall features.
- Enable and configure the WAF
- The web app is hosted in an Azure App Service or Azure Virtual Machine.
- Conduct simple penetration test using a tool such as OWASP ZAP
- Monitor and alert upon certain application requests that adhere to an OWASP rule in the Log Analytics web application firewall log
The Azure Application Gateway is a web traffic load balancer that has various capabilities such as SSL termination, URL-based routing, multiple-site hosting, redirection, session affinity, WebSocket and Http/2 support and the web application firewall.
The WAF (Web application firewall) feature can be enabled so that it will bring an added layer of protection your apps from common web vulnerabilities such cross site scripting attacks and SQL injection.
The WAF is utilizes the OWASP (Open Web Application Security Project) core rule sets 3.0 or 2.2.9. These are a set of generic attack detection rules for use with ModSecurity or for compatible web application firewalls. The core rule sets (CRS) aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.
In this configuration, the Rule set has been selected as OWASP 3.0. The Firewall mode is set as Prevention to block any requests that meet any of the enabled rules.
You can expand to see the specific rules in order to enable and disable individually. A situation where you may want to disable a rule, is when a rule is a false-positive and is preventing your application from working properly. I have had this situation when using this WAF in front of SharePoint Server 2013. Note that multiple web apps that are being served by the same WAF, they will share the same rule configuration. If multiple web apps can’t share the same configuration, then you have to consider creating another Azure App Gateway for this specific purpose.
The SQL Injection Attack Detected via libinjection is enabled and I will later show this type of request seen in my log analytics workspace.
The following is the solution design of my Azure web app being protected with Azure Application Gateway WAF of which will be under the penetration test. The web application is a single page application using KnockoutJS, ASP .NET MVC and REST API.
To see how this is setup, you can read my blog series Protecting Azure App Service with Azure Application Gateway
The next article Penetration Testing Your Web App with Azure Application Gateway WAF Part 2: OWASP ZAP Tool will take a look at using the OWASP ZAP tool for a simple penetration test.
Resources
Roy Kim on Azure and Microsoft 365 
Pingback: Penetration Testing Your Web App with Azure Application Gateway WAF Part 2: OWASP ZAP Tool – Roy Kim on Azure, Office 365 and SharePoint