Uploaded by sachin tendulkar

WAF01 Barracuda Web Application Firewall - Foundation - Lab Guide

advertisement
Barracuda Web Application Firewall
WAF01 - Barracuda Web Application Firewall Foundation
LabGuide
Official learning material for Barracuda Campus training courses.
Table of Contents
Task 1
Attacking a Web Application ....................................................................... 2
Task 2
Performing the Initial and Service Configuration ................................... 7
Task 3
Clustering ........................................................................................................10
Task 4
Attacking a Web App through the WAF .................................................12
Task 5
Bot Mitigation ................................................................................................ 14
Task 6
Access Control ...............................................................................................16
WAF01 - Barracuda Web Application Firewall - Foundation
Task 1 Attacking a Web Application
Lab Instructions
In this lab, you will learn how to use some active reconnaissance techniques and how to exploit the
found vulnerabilities.
• Perform reconnaissance on the Badstore website.
• Based on collected data, launch SQL, cookie tampering, and forceful browsing attacks.
Step-by-Step Guide
1
Connect to the Attack Client
1. Open an RDP client.
2. In the RDP settings, set the color depth to 16 bit.
3. Navigate to the Attack Client.
4. Log in:
• Username:
student
• Password:
CudaL3aner!
5. If the first login fails, click OK and reenter the credentials.
2
Perform reconnaissance using Nikto to find potential security
vulnerabilities
As Nikto get’s removed by Windows Defender as it is a hacking tool. An exemption needs to be
created.
1. Right-click the Windows button.
2. Select Search.
3. Type virus.
4. Select Virus & threat protection.
5. Under Virus & threat protection settings, click Manage settings.
6. Scroll down to Exclusions and click Add or remove exclusions.
7. Click Add an exclusion and select Folder.
8. The file explorer opens. Select the nikto folder from quick access.
9. Click Select Folder.
10. Verify that the folder has been added to the list of exclusions.
11. Close Windows settings.
12. Open Firefox_dev (from the Desktop).
13. Navigate to: http://badstore.bigfishinc.org
14. Click Home. You will see that the website uses CGI (Common Gateway Interface).
Barracuda Campus | 2
WAF01 - Barracuda Web Application Firewall - Foundation
15. Open Nikto from the desktop. At the command prompt, enter:
nikto.pl -h http://badstore.bigfishinc.org
The output displays the HTTP methods that are allowed, the version information about the
software packages the server is running, and other vulnerabilities.
If you can’t run Nikto, please follow these steps:
1. Open the File Explorer and navigate to the Downloads folder.
2. Open the nikto-master archive and go into to the program folder.
3. Copy the nikto.pl file.
4. In the File Explorer navigate to C://users/student/nikto and paste the nikto.pl file into this
folder.
5. Leave the Terminal Emulator open.
6. In Firefox_dev, navigate to the following paths:
• http://badstore.bigfishinc.org/backup
• http://badstore.bigfishinc.org/cgi-bin/test.cgi
Administrators can use the /backup/ path to perform backups. This indicates that there may be
an administrator role for this website. The output displays that the website uses cookies and
probably uses Base64 encoding in other portions of the website.
Barracuda Campus | 3
WAF01 - Barracuda Web Application Firewall - Foundation
3
Log in as a user by using an SQL injection attack
1. Click Login/Register.
2. Log in using 1’OR 1=1-- (make sure you end your statement with a space!) as the email address,
leaving the password blank. You are logged in as Test User. Test User must be the first record in
the user database.
3. Click View Previous Orders to view the user’s order history.
4. Because this page displays a variable number of records, try populating it with data from a
different database or table using the UNION command. This lets you retrieve data from a different
table in the MySQL database. If itemdb is the naming convention for items, there may be a
userdb.
5. Log into the Badstore website using:
6. 1’union select * from userdb-- (make sure you end your statement with a space!)
7. Click View Previous Orders. Instead of a list of items, a list of users is displayed. The final column
may indicate a user type.
4
Get ready to place an order
1. Click Login/Register.
2. Register for a new account using the following details:
• Full Name:
hacker
• Email Address: hacker@cudau.org
• Password:
hacker
• Password Hint: green
The home page opens, and “Welcome hacker” is displayed on the top of the page.
3. Click What’s New.
4. Select the first three items listed, and click Add items to Cart.
5. The home page opens. At the top of the page, “Cart contains 3 items at $5024.00” is displayed.
6. Click View Cart.
7. Click Place Order to proceed to the checkout.
8. WITHOUT yet clicking Place Order, enter credit card number 6011 0000 0000 0004, expiration date
05/20.
5
Perform a cookie tampering attack
1. In Firefox_dev, click on the ProxySwitcher extension and select “ZAP”
2. Open ZAP (from the desktop).
3. Wait until ZAP starts, then click Start without changing the default setting when asked if the
session should be persistent, and click No for the automatic updates.
4. Click + (the plus button) and add the Break tab to the right panel.
5. Click on the green circle to set the break on all requests. The green circle will turn red.
6. On the Badstore web page, click Place Order.
7. The prompt “Thank you for using Discover” appears.
8. Click OK. ZAP traps the request.
9. Cancel the option to have ZAP always on top.
10. Right-click on the trapped request (Break tab, upper window) and click Find...
Barracuda Campus | 4
WAF01 - Barracuda Web Application Firewall - Foundation
11. Find the number 5024 and change it to the number 1. Note that the number is included in the
cleartext cookie.
Don’t use the num-pad keys because they might cause strange behavior.
12. In the OWASP ZAP, click the blue Play button to submit the edited request.
13. If another request is trapped, click the blue Play button again.
14. Click View Previous Orders. Notice that the credit card number is displayed.
15. The purchase completes, with a charge of $1 instead of $5024.
16. In Firefox_dev, switch back to no Proxy.
6
Perform a forceful browsing attack
1. Tamper with the CGI parameter in the address bar:
• Try action=manage
• Try action=setup
• Try action=admin
2. The forceful browsing attack succeeds, and the Secret Administration Portal is displayed.
3. Try to view the sales report. You are rejected.
4. Click the Back button.
7
Capture and de-encode a cookie to change the user role
1. In Firefox_dev, click on the ProxySwitcher extension and select ZAP.
2. In ZAP, click the green circle in the menu bar. The circle turns red, indicating that all requests will
be trapped in ZAP.
3. In the Badstore website, click the Do it button to view the sales report. The request is trapped in
ZAP.
4. In OWASP ZAP, copy the contents of the cookie (everything after Cookie: SSOid=”).
5. In OWASP ZAP, open Tools > Encode/Decode/Hash.
6. Paste the cookie contents into the upper box, and click the Decode tab. OWASP ZAP converts any
hexadecimal characters. The converted text appears in the URL Decode box.
7. Select all of the contents of the URL Decode box, and copy them to your clipboard with Ctrl+C.
8. Delete ALL the contents of the upper box.
9. Paste the contents of your clipboard into the upper box. Then, remove the line break. The whole
URL decode needs to be in one line!
10. The text decodes and appears in the Base 64 Decode box. You can see that the cookie contains
the parameter U, which indicates you are a regular user.
11. Copy the contents of the Base 64 Decode box to your clipboard with Ctrl+C.
12. Delete the contents of the upper-most box.
13. Paste the contents of your clipboard into the upper box.
14. Change the U at the end of the decoded string to an A.
Barracuda Campus | 5
WAF01 - Barracuda Web Application Firewall - Foundation
8
Re-encode the cookie
1. Click the Encode tab. The Base 64-encoded version of the cookie appears in the Base 64 Encode
box.
2. Copy the contents of the Base 64 Encode box (should end with QQ==) into your clipboard with
Ctrl+C.
3. Delete the contents of the upper box.
4. Paste the contents of your clipboard into the upper box and remove the line break.
5. The URL-encoded version appears in the URL Encode box.
6. Make sure that the last character in the cookie is a %0A by entering a single carriage return by
pressing the Enter key at the end of the text in the upper box.
7. Copy the contents of the URL Encode box into your clipboard using Ctrl+C.
8. Replace the captured cookie in ZAP with the cookie from your clipboard.
9. Click the blue Play button to submit the request to the Badstore website.
10. You may have to submit several packets. The request should succeed, and all of the customer
records for the site are displayed.
11. Click the ProxySwitcher extension, and select No Proxy.
Barracuda Campus | 6
WAF01 - Barracuda Web Application Firewall - Foundation
Task 2 Performing the Initial and
Service Configuration
Lab Instructions
This lab will guide you through some necessary changes in the initial setup of your Barracuda Web
Application Firewall and the creation of an HTTP and HTTPS service.
Step-by-Step Guide
1
Connect to the Admin Client
1. Open an RDP client and navigate to Admin Client.
2. Log in:
• Username:
student
• Password:
CudaL3arner!
3. If the first login fails, click OK and reenter the credentials.
2
Perform the initial configuration
1. From the Admin Client, open Firefox, and navigate to: http://wafa.cudau.org:8000
2. Log in with the WAF credentials:
• Username:
admin
• Password:
CudaL3arner!
3. Go to BASIC > IP Configuration and configure:
• Default Host Name:
WAFa
• Default Domain:
cudau.org
4. Go to BASIC > Administration and change the following configuration settings:
• Session Expiration Length:
120 minutes
• System Alerts Email Address:
postmaster@cudau.org
• System Contact Email Address:
postmaster@cudau.org
5. Click Save.
6. Continue by changing the admin password:
• Old Password:
CudaL3arner!
• New Password: campuspass
• Retype the password.
7. Click Save Password.
8. Go to ADVANCED > Secure Administration and check the configuration:
• Web Interface HTTPS/SSL Port: 8443
9. Click Save.
Barracuda Campus | 7
WAF01 - Barracuda Web Application Firewall - Foundation
10. From another tab, navigate to https://wafa.cudau.org:8443 and continue through the certificate
security check.
11. Log in with the new WAF credentials.
12. Go to ADVANCED > Secure Administration page and configure:
• HTTPS/SSL Access Only:
Yes
13. Click Save.
3
Create a service
1. Navigate to BASIC > Services.
2. Create a new service with the following settings:
• Service Name:
Badstore
• Type:
HTTP
• Virtual IP Address: <VIP1>
• Port:
80
• Real Servers:
<Badstore IP>
• Create Group:
No
• Service Groups:
default
3. Click Add.
By default, a new service is set to Passive mode when it is created. In Passive mode, traffic is
not blocked. Instead, attacks and malicious requests will be logged.
4
Create and load an SSL certificate
1. In the WAF web interface, go to BASIC > Certificates.
2. In the Certificate Generation section, click Create Certificate.
3. In the Certificate Generation window, specify the required information for your certificate:
• Certificate Name (Do not use spaces)
• Common Name
• Country Code
• State or Province
• Locality (City)
• Organization (Company) Name
4. Click Generate Certificate. The certificate is now accessible on the BASIC > Certificates page. You
can also select it from the service creation workflow.
5
Create an HTTPS service
1. Navigate to BASIC > Services.
2. Create a new service with the following settings:
• Service Name:
Badstore_ssl
• Virtual IP Address: <VIP1>
• Type:
HTTPS
• Port:
443
Barracuda Campus | 8
WAF01 - Barracuda Web Application Firewall - Foundation
• Real Servers:
<Badstore IP>
• Certificate:
Select the certificate that you just created.
• Click Add.
When the service is added, it is created on port 443 on the front end. However, the
backend server has been created on port 80 by default. Because the backend is running on
port 443 on SSL, you must change the backend settings.
3. Click Edit next to the real server and make the following changes:
• Port:
443
• Server uses SSL:
Yes
• Validate Server Certificate: No
The WAF will not be able to validate the certificate because the backend server uses a selfsigned certificate.
4. In Firefox, navigate to: https://www.cudau.org
A warning that the certificate is untrusted appears. You can view the certificate and see that it is
the self-generated certificate you just created.
5. Click through the warning, and the Badstore website opens.
6. Return to the WAF interface and check Basic > Access Logs to make sure that the request is
processed by the right service (badstore_ssl).
Barracuda Campus | 9
WAF01 - Barracuda Web Application Firewall - Foundation
Task 3 Clustering
Lab Instructions
This lab will guide you through the process of clustering two Web Application Firewalls.
Step-by-Step Guide
1
Configure a Cluster Shared Secret in WAFa
1. From the Management Client, open Firefox, navigate to http://wafa.cudau.org:8443 and log into
the WAF management interface.
2. Navigate to ADVANCED > High Availability and configure:
• Cluster Shared Secret: campussecret
3. Click Save.
2
Perform the initial configuration
1. From the Management Client, open a Firefox tab, and navigate to: http://wafb.cudau.org:8000
2. Log in with the default WAF credentials.
3. Go to BASIC > IP Configuration and configure:
• Default Host Name:
WAFb
• Default Domain:
cudau.org
4. Click Save.
If the interface does not automatically reset in 2 minutes, navigate to
http://wafb.cudau.org:8000 and log in again.
5. Go to BASIC > Administration and change the following configuration settings:
• Session Expiration Length:
120 minutes
• System Alerts Email Address:
postmaster@cudau.org
• System Contact Email Address:
postmaster@cudau.org
6. Click Save.
7. Continue by changing the admin password:
• Old Password:
CudaL3arner!
• New Password: campuspass
• Retype the password.
8. Click Save Password.
9. Go to ADVANCED > Secure Administration and configure:
10. Web Interface HTTPS/SSL Port: 8443
11. Click Save.
12. From another tab, log into https://wafb.cudau.org:8443 and continue through the certificate
security check.
13. Log in with the new credentials.
Barracuda Campus | 10
WAF01 - Barracuda Web Application Firewall - Foundation
14. In the wafb tab, go to the ADVANCED > Secure Administration page and configure:
• HTTPS/SSL Access Only:
3
Yes
Configure a Cluster Shared Secret in WAFb and start the clustering
procedure
1. Open Firefox, navigate to http://wafb.cudau.org:8443 and log into the WAF management
interface.
2. Navigate to ADVANCED > High Availability and configure:
a. Cluster Shared Secret: campussecret
3. Click Save.
4. Log in again to the WAF management interface.
5. Navigate to ADVANCED > High Availability.
6. Enter the Peer IP Address <wafa wan IP>
7. Click Join Cluster.
8. Wait until the clustering procedure finishes.
9. Verify that the configuration has been synced successfully by checking the BASIC > Services page.
10. Verify that Badstore is still reachable from the client.
11. Close the wafb tab.
Barracuda Campus | 11
WAF01 - Barracuda Web Application Firewall - Foundation
Task 4 Attacking a Web App through
the WAF
Lab Instructions
In this lab, you will learn how to create, activate, and test a Barracuda Web Application Firewall service.
• Launch an attack against the passive service.
• Activate the service and then relaunch the attack tasks.
Step-by-Step Guide
1
Activate the service
1. In the Barracuda Web Application Firewall web interface, go to BASIC > Services.
2. Edit the Badstore service.
3. Change the Mode of the service to Active.
4. Click Save.
2
Turn on Data Theft Protection
1. In the Barracuda Web Application Firewall interface, go to Bot Mitigation > Bot Mitigation.
2. Click Edit next to the default-url-policy for the Badstore service in the Bot Mitigation Policy section.
3. Click Yes next to Enable Data Theft Protection.
4. Click Save.
3
Connect to the Attack Client
1. Open an RDP client and navigate to the Attack Client.
2. Log in:
• Username:
student
• Password:
CudaL3arner!
3. If the first login fails, click OK and reenter the credentials.
4
Launch an SQL attack against the active service and check the
Firewall logs
1. In Firefox_dev navigate to: http://www.bigfishinc.org
2. Click What’s New.
3. In the Quick Item search field, enter 1’OR 1=1-- (make sure you end your statement with a space!).
The query will fail, and the error message is cryptic and uninformative.
4. On the Admin Client, in the WAF web interface, go to the BASIC > Web Firewall Logs page.
5. The attack is listed with an action of DENIED.
Barracuda Campus | 12
WAF01 - Barracuda Web Application Firewall - Foundation
5
Perform reconnaissance using Nikto against the service
1. Go to the Virus & threat protection settings.
2. Click Manage. Scroll down to exclusions and click Add or remove exclusions.
3. Verify that the nikto folder is still listed as an exclusion. If not, add the nikto folder.
4. Open Nitko from the desktop.
5. At the command prompt, enter: nikto.pl -h http://www.bigfishinc.org
Note that Nikto now displays very little information about the Badstore site, compared to
the Nikto scan launched directly against the Badstore website earlier. You can easily
compare the two attempts by placing the two terminal instances next to each other.
6. In the WAF web interface, go to the BASIC > Web Firewall Logs page. Note the large number of
attacks launched by the Nikto scan - and blocked by the Barracuda Web Application Firewall.
6
Attempt a cookie tampering attack
1. Following the instructions from Lab 1.2.2 (“Get ready to place an order“ and “ Perform a cookie
tampering attack “), attempt to perform a cookie tampering attack by changing the value of the
cost of the shopping cart in the cookie. Notice that the Barracuda Web Application Firewall
prevents this attack.
2. In the WAF web interface, go to the BASIC > Web Firewall Logs page. Notice that the attack has
been logged as a Cookie Tampering attack.
3. On the Badstore site, click View Previous Orders. Notice that any credit card numbers are now
cloaked.
4. On the Management Client, in the WAF web interface, go to the BASIC > Web Firewall Logs page.
Notice that an Identity Theft Pattern Matched has been logged and cloaked.
5. If you still have the ProxySwitcher set to ZAP, change it to No Proxy.
7
Launch an SQL attack against the passive service and check the Web
Firewall logs.
1. In Firefox_dev navigate to: https://www.bigfishinc.org
2. Click What’s New.
3. In the Quick Item search field, enter 1’OR 1=1-4. The query will be successful. Even encrypted services are vulnerable to web application attacks!
5. In the WAF web interface, go to BASIC > Services.
6. Edit the Badstore_ssl service and change the Mode from Passive to Active.
7. Click Save.
8. In the Badstore website, on the What’s New page, in the Quick Item Search field, enter 1’OR 1=1-9. The attack is blocked and an uninformative error message is displayed because the service is now
active.
Barracuda Campus | 13
WAF01 - Barracuda Web Application Firewall - Foundation
Task 5 Bot Mitigation
Lab Instructions
In this lab, you will learn how to create a new Web Scraping Policy and Bot Mitigation Policy. You will
then enable Credential Stuffing protection for the login page of the Badstore.
Step-by-Step Guide
1
Create a Web Scraping Policy
1. From the Management Client, open Firefox, navigate to http://wafa.cudau.org:8443 and log into
the WAF management interface.
2. Navigate to Bot Mitigation > Bot Mitigation
3. At Web Scraping Policies, click Add Policy.
4. In the pop-up window, specify the following settings:
• Web Scraping Policy Name:
Badstore
• Insert Hidden Links in the Response:
yes
• Insert JavaScript in Response:
Yes
• Detect Mouse Event:
Yes
• Blacklisted Categories:
select all fields
5. Click Save.
2
Assign the Web Scraping Policy
1. Next to the default URL policy, open the drop-down menu and select Edit.
2. Scroll to Bot Detection and select the badstore policy from the drop-down menu.
3. Click Save.
3
Create a Bot Mitigation Policy and activate Credential Stuffing
1. At Bot Mitigation policy next to the service, click Add.
2. In the pop-up window configure the following settings:
• URL Policy Name: login
• Status:
On
• Mode:
Active
• Host Match: *
• URL Match:
/cgi-bin/badstore.cgi
• For Extended Match, click the Edit icon to display the Extended Match widget:
○ Element Type:
Parameter
○ Element Name: Select the Others check box and enter action
○ Operation:
is equal to
○ Value:
login
○ Click Insert. The Header Expression field displays: Parameter action eq login
Barracuda Campus | 14
WAF01 - Barracuda Web Application Firewall - Foundation
○ Click Apply.
• Web Scraping Policy: badstore
• Credential Stuffing:
○ Username Parameter: email
○ Password Parameter:
passwd
3. Click Save.
4
Test Credential Stuffing
1. From the Attack Client, open Firefox_dev, and navigate to: www.bigfishinc.org
2. Go to the Login / Register page
3. Enter the stolen credentials:
• Email Address: julio.tan@gmail.com
• Password:
please
4. Click Login.
5. The request will be blocked as this entry is in the database of stolen credentials.
5
Find the fields to protect against Bot Spam on the Badstore
1. On the Attack Client, in Firefox_dev navigate to http://www.bigfishinc.org and click Sign our
Guestbook.
2. On the guestbook page, right-click the comments field and select Inspect Element.
3. Note that the name of the field is "comments".
6
Enable Comment Spam Mitigation for the guestbook
4. In the WAF web interface, go to Bot Mitigation > Bot Spam Mitigation.
5. In the Comment Spam section, click Edit next to the Badstore service.
6. In the pop-up window add:
• Parameter:
comments
7. Click Add.
8. Verify that "comments" has been added to the list.
9. Click Save.
7
Test Comment Spam
10. On the Attack Client, in Firefox_dev navigate to http://www.bigfishinc.org and click Sign our
Guestbook.
11. Enter the following:
• Your name: hacker
• Email:
hacker@cudau.org
• Comments: 1pamm.ru
12. Click Add Entry.
13. The request will be blocked.
14. On the Management Client, go to the Webfirewall logs.
15. See that the request was blocked because of comment spam.
Barracuda Campus | 15
WAF01 - Barracuda Web Application Firewall - Foundation
Task 6 Access Control
Lab Instructions
In this lab, you will learn how to configure the Barracuda Web Application Firewall to use an external
LDAP server to authenticate users for the admin section of the Badstore website. Configure the
Barracuda Web Application Firewall to use an external LDAP server for authentication.
Step-by-Step Guide
1
Configure an LDAP server
1. In the WAF web interface, go to ACCESS CONTROL > Authentication Services.
2. Under the LDAP tab, specify the following settings:
• Realm Name:
cudau.org
• Server Name/IP:
10.1.1.10
• Server Port:
389
• Secure Connection Type: none
• Bind DN (Username):
CN=admin,DC=CUDAU,DC=ORG
• Base DN:
DC=CUDAU,DC=ORG
• Bind Password:
secret
• Login Attribute:
uid
• Group Name Attribute:
gid
• Query For Group:
Yes
3. Click Test LDAP. The LDAP test succeeds.
4. Click Add. The cudau.org service is added to the Existing Authentication Services table.
5. Go to ACCESS CONTROL > Authentication Policies.
6. Click Edit Authentication for the Badstore service. Specify the following settings:
• Change Status to On.
• From the Authentication Service list, select cudau.org.
• Click Save.
Barracuda Campus | 16
WAF01 - Barracuda Web Application Firewall - Foundation
2
Configure authorization
1. Go to ACCESS CONTROL > Authentication Policies.
2. Click Add Authorization for the Badstore service.
3. In the Policy Name field, enter Auth0
4. For Status, select On.
5. In the URL Match field, enter /cgi-bin/badstore.cgi
6. For Extended Match, click the Edit icon to display the Extended Match widget:
• Element Type:
Parameter
• Element Name: Select the Others check box and enter action
• Operation:
is equal to
• Value:
admin
• Click Insert. The Header Expression field displays: Parameter action eq admin
• Click Apply.
7. Click Save.
3
Authentication
1. Open an RDP client and navigate to the Attack Client.
2. In Firefox_dev, navigate to: http://www.bigfishinc.org/cgi-bin/badstore.cgi?action=admin
3. You are prompted for a username and password. Use the following credentials to log in:
• user:
tommy
• pw:
CudaL3arner!
4. You will still not be able to view the Sales Report because your new user is not listed as an admin
on the Badstore site.
Barracuda Campus | 17
© Barracuda Networks Inc., Revision: 10/10/2022
The information contained within this document is confidential and proprietary to Barracuda Networks Inc. No portion of
this document may be copied, distributed, publicized or used for other than internal documentary purposes without the
written consent of an official representative of Barracuda Networks Inc. All specifications are subject to change without
notice. Barracuda Networks Inc. assumes no responsibility for any inaccuracies in this document. Barracuda Networks Inc.
reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Download