Exercise 57: Implementing and Testing a WAF (Web Application Firewall)

Objective

Set up and test a Web Application Firewall (WAF) to protect a web application from common attacks such as SQL Injection (SQLi) and Cross-Site Scripting (XSS). Understand how WAFs detect and mitigate web-based threats and learn how to customize WAF rules for enhanced security.

---

Scenario

Web applications are constantly targeted by various attacks like SQL injection, XSS, and command injections. A WAF filters, monitors, and blocks HTTP traffic to and from a web application to mitigate these threats. In this exercise, you’ll configure a WAF using ModSecurity or Cloudflare, simulate attacks, and observe how the WAF protects the application.

⚠️ Important: This exercise must be conducted in a legal and controlled environment. Unauthorized testing of web applications is illegal and unethical.

---

Lab Instructions

Step 1: Install and Configure ModSecurity WAF

a. Install ModSecurity (on Apache Web Server)

sudo apt update
sudo apt install libapache2-mod-security2 -y

b. Enable ModSecurity

sudo a2enmod security2
sudo systemctl restart apache2

c. Configure ModSecurity in Detection Mode

sudo nano /etc/modsecurity/modsecurity.conf

• Change the following line:

SecRuleEngine On

d. Restart Apache to Apply Changes

sudo systemctl restart apache2

Step 2: Enable OWASP Core Rule Set (CRS)

a. Download and Configure OWASP CRS

sudo apt install modsecurity-crs -y
sudo cp /usr/share/modsecurity-crs/base_rules/* /usr/share/modsecurity-crs/activated_rules/

b. Activate OWASP Rules

sudo nano /etc/apache2/mods-enabled/security2.conf

• Add:

IncludeOptional /usr/share/modsecurity-crs/activated_rules/*.conf

c. Restart Apache

sudo systemctl restart apache2

Step 3: Simulate Common Web Attacks

a. Test SQL Injection (SQLi)

curl -I "http://<server-ip>/?id=1' OR '1'='1"

• Expected Result: ModSecurity should block the request.

b. Test Cross-Site Scripting (XSS)

curl -I "http://<server-ip>/?search=<script>alert('XSS')</script>"

• Expected Result: ModSecurity should block the request.

c. Review ModSecurity Logs

sudo cat /var/log/apache2/modsec_audit.log

• Expected Result: Logs will show blocked malicious requests.

Step 4: Customize WAF Rules

a. Block User-Agent Headers with Specific Values

sudo nano /etc/modsecurity/custom_rules.conf

• Add the rule:

SecRule REQUEST_HEADERS:User-Agent "BadBot" "id:1001,phase:1,deny,log,msg:'Blocked BadBot User-Agent'"

b. Include Custom Rules

sudo nano /etc/apache2/mods-enabled/security2.conf

• Add:

Include /etc/modsecurity/custom_rules.conf

c. Restart Apache

sudo systemctl restart apache2

d. Test Custom Rule

curl -A "BadBot" http://<server-ip>

• Expected Result: The request is blocked and logged.

Step 5: Testing WAF Effectiveness

1. SQL Injection: Blocked.
2. XSS: Blocked.
3. Custom Rule (User-Agent): Blocked.

---

Solution & Explanation

How a WAF Works

• Filters HTTP Requests: Inspects HTTP traffic for malicious patterns.
• Blocks Malicious Input: Denies requests matching attack signatures.
• Logs Suspicious Activity: Provides detailed logs for analysis.

WAF Protection Examples

1. SQL Injection: Detects and blocks SQL payloads.
2. Cross-Site Scripting (XSS): Prevents malicious script injections.
3. Custom Rules: Enables tailored security controls.

Key ModSecurity Features

• OWASP Core Rule Set: Pre-configured rules against common threats.
• Custom Rule Creation: Flexibility to block specific behaviors.
• Detailed Logging: Tracks attack patterns for continuous improvement.

Mitigation Techniques Without WAF

• Input Validation: Sanitize user input.
• Prepared Statements: Prevent SQL injections.
• Content Security Policy (CSP): Prevent XSS.

---

Testing & Verification

• Before WAF Configuration: Web application vulnerable to SQLi and XSS.
• After WAF Configuration: Malicious requests blocked.

Verify Logs for Blocked Requests

sudo tail -f /var/log/apache2/modsec_audit.log

Online Testing Tools

• Use WAF Tester to validate WAF rules.

---

Security Best Practices

1. Enable and Regularly Update OWASP CRS.
2. Create Custom Rules for Specific Threats.
3. Enable Logging and Regularly Review Logs.
4. Combine WAF with Secure Coding Practices.
5. Continuously Test WAF Effectiveness.

---

Additional Script (Optional)

Automate WAF Rule Testing:

#!/bin/bash
# WAF Rule Testing Script
URL=$1
curl -I "$URL?id=1' OR '1'='1"
curl -I "$URL?search=<script>alert('XSS')</script>"
curl -A "BadBot" "$URL"

Run the script:

chmod +x waf_test.sh
./waf_test.sh http://<server-ip>

---

Conclusion

In this exercise, you configured a Web Application Firewall (WAF) using ModSecurity, tested it against common attacks like SQL Injection and XSS, and implemented custom rules to enhance security. WAFs are essential for protecting web applications by filtering and blocking malicious traffic.