This article aims to set out the basics of how you can approach assessing the security of your webapp hosted in Azure.
Performing a security review of a site using a combination of Azure’s Security Score and other tools can be a really useful way to get value from an external pen-test by eliminating much of the low hanging fruit. This allows the tester to spend time looking for application/business logic vulnerabilities instead of having to spend time looking for & writing up the commonly seen issues, such as missing headers, lack of HTTPS, anti-CSRF tokens missing and so on.
This will be a short and to-the-point outline of how you can set up Damn Vulnerable Web App using Azure Frontdoor.
- Deploy Azure Front Door & App Gateway with this template/one-liner: Azure Frontdoor Standard & Application Gateway.
- Set up DVWS using App Service with a container from Docker Hub: DVWA on Docker Hub.
- You will need to configure the Azure App Gateway to have the container as the endpoint.
- When you first navigate to the site, you will need to log in with root:p4ssw0rd to run setup.php to initialise the database.
- After that you can log into the app with admin:password.
Damn Vulnerable WebApp
DVWA is a well known application designed with insecure coding patterns and vulnerabilities. It’s aim is to allow security researchers to practice their skills, and it has varying degrees of difficulty. It has been around for a while, but it is still a good resource. I have selected this application along with Azure Frontdoor so you can test for the vulnerabilities and check if Frontdoor is good at stopping your bypasses. It’s also a modern way to deploy webapps, so you get to play around with it’s own capabilities too. You can deploy the DVWA Container as an App Service to use the application as intended, without the Frontdoor WAF stopping you from performing your attacks to compare how it works with and without Frontdoor.
Azure Front Door Standard/Premium is a fast, reliable, and secure modern cloud CDN that uses the Microsoft global edge network and integrates with intelligent threat protection. It combines the capabilities of Azure Front Door, Azure Content Delivery Network (CDN) standard, and Azure Web Application Firewall (WAF) into a single secure cloud CDN platform.
BurpSuite, from PortSwigger, is a web proxy that monitors all the web traffic flow between yourself and the application. One feature of Burp is that it can intercept requests, and you can modify them on the fly. This is very useful for testing input validation. Many apps will have input validation on the client side, so when you try to type in a string of text into an input that only accepts numbers, you will get a prompt on the web app to tell you that you can only enter numbers. When Burp intercepts this request, you can bypass the client side validation and change the value to whatever you want. This can cause unintended behaviour from the application. One such example is to intercept a request to change a value of 1 to a -1 to see how the application handles it.
When you launch the proxy browser session from within Burp and use the web application as normal, Burp can pick up any low hanging fruit and report on this. This is really useful for spotting missing headers in your application (ie Anti XSS or CSRF), lack of TLS security and many more. You can relay this information to the developers of the app to tighen the security of the app.
The community edition of Burp lacks the automatic scanning feature, but it is still very powerful and you can pick up a lot just by stepping through the application with it.
Burp also comes with extensions to add on more capabilities, such as additional scanner checks, tools for manipulating JWT Tokens and many more. The Logger++ extension introduces additional logging for the traffic for the app with improved search so you can drill down for specific conditions such as Internal Error 500.
There are many tools dedication to security assessments. Tenable Nessus is a vulnerability management tool that includes scanning and reporting facilities. Nikto is very good for and point and shoot kind of tool.
NMap is the scanning tool. You can use it to find services running on higher ports – you may find an exposed admin panel on port 10000 or some random port like that. ffuf, dirsearch and gobuster can be used with wordlists to enumerate for directories and other endpoints during your assessment. As you explore the topic further, you will build up your own collection of preferred tools.
Azure DDoS Protection
Azure resources come with Azure DDoS protection in a basic tier. This only performs detection & mitigation. If you want to enable advanced features such as additional reporting and rapid response support, you can pay for the Azure DDoS Protection Standard plan. Warning – it is not cheap!
You can use Breakingpoint.cloud to simulate a DDoS attack on your resources. You need to verify you own the resources by associating your subscription ID with your Breakingpoint.cloud account, and I believe the tool will only work with IPs in the Azure space.
The OWASP Web Security Testing Guide can be used to verify the security of your application. It contains a run down of the types of testing you can do, threat modelling explained and a list of common vulnerabilities and how to test for them. It is essential reading.
There is a checklist available, the OWASP-Testing-Checklist that complements the testing guide. You can use it to step through the testing of your application and check off each item as it is checked. The sections in the checklist roughly correspond to the sections in the Testing Guide. The DVWA is a good tool to use with the guide to familiarise yourself with the methodologies. JuiceShop is another similar WebApp.
Additional websites for learning from are the WebAcademy at Portswigger and PentesterLab. If videos are more your thing, then this Udemy course by Nahamsec will take you through the OWASP Top 10 Vulnerabilities and how to crack them.
The OWASP Application Security Verification Standard (ASVS) can be used by developers to create a score by checking through the items listed and ticking off which ones have been accounted for. An example under the General Data Protection section for this would be “8.1.4 Verify the application can detect and alert on abnormal numbers of requests, such as by IP, user, total per hour or day, or whatever makes sense for the application.“
Azure Security Center
You can use the recommendations in Azure Security Centre to help improve your security posture. Microsoft advise on making someone in the organisation responsible for the Secure Score. The Secure Score can be used as a metric in your reports, for example you can say that ‘last month, we increased the Secure Score by 15% by enabling MFA Authentication for administrator accounts’.
You can get a lot of quick wins by implementing the recommendations – common ones to look out for are enabling MFA on Admin accounts, enabling HTTPS traffic, enabling encryption at rest if you have any DBs and so on. This reference guide for the recommendations is really handy to refer to as you work your way through the recommendations.
The Security Centre comes with additional levels of protection and reporting. Enabling Azure Defender allows you to add regulatory standards such as NIST and Azure CIS, so you can report on how your resources meet these benchmarks. These can open up further discussions with stakeholders.
It is not difficult to improve the security posture of your application, especially with all the tools available from Microsoft and third parties to help eliminate those low hanging fruit before you employ the services of a dedicated pen-testing company.
Hopefully with the guide to setting up the DVWA WebApp behind Azure Frontdoor, you will be able to play with the settings to see how you can further harden your applications.