Tutorial 2 : Setup Web Application Security Protection and Detection Lab in Google Cloud -Reconnaissance Playbook
This lab cover total 4 blogs, Below are links for reference
Part-1: WAF tuning
Part-2: Reconnaissance Playbook(This Blog)
Part-3: Vulnerability Exploitation
Part-4: Data Disclosure and Exfiltration
The second tutorial in this four-part series for Google cloud WAF protection and detection lab is the reconnaissance playbook. The purpose of the Google cloud security protection lab is to demonstrate Cloud Armor WAF’s capabilities in identifying and protecting against suspicious activities and potential attacks against your web applications. This playbook explains how to test Google Cloud armor WAF’s protections against a reconnaissance attack.
In this tutorial you will:
- Run web application vulnerability scan against the target OWASP Juice Shop web application directly and then scan the same instance of the web application protected by Cloud armor
- Review the differences in the results of the two web application vulnerability scans
- Review the summarized logs for Cloud armor and Load balancer Logging
Reconnaissance Attack
Before an attacker can exploit a vulnerability, they will typically spend time researching their target web application which involves collecting application specific data and analyzing it for potential vulnerabilities. One of the methods for collecting sensitive security data to identify potential vulnerabilities in a web application is to utilize web application security vulnerability scanners. These scanners can analyze an application’s response headers to identify potential vulnerabilities. Data collected with web application vulnerability scanners can reveal potential vulnerabilities that an attacker could then test, develop, and leverage for exploitation or exfiltration. Such reconnaissance activities also allow attackers to gain a thorough understanding and complete mapping of your application for later use.
Performing Reconnaissance with Web Application Vulnerability Scanner
One of the first things an attacker will attempt is to try and gain extensive understanding of the application components, framework, and the potential vulnerabilities in a target web application. The quickest, most common method of doing this is to use a commercial or an open source web application vulnerability scanner (also called security scanners) to run unauthenticated/unauthorized scans against a target. In this tutorial, you will run two web application vulnerability scans against the target web application
- First scan will point to the target web application directly
2. Second scan will point to the same target web application protected by Cloud armor on http load balancer
Running Web Application Vulnerability Scan against the Target Application
To run the web application vulnerability scans, we will connect to the Kali VM . Once connected, we will use Nikto, a versatile, command line open source web application vulnerability scanning tool which is bundled in the Kali Linux distro. When pointed to the target web application, Nikto will scan the application for common vulnerabilities and display the scan output in the terminal window for quick review.
- Sign into the Kali Linux VM using your credentials
- Launch the web browser and ensure that you are able to access the OWASP Juice Shop website directly with URL http://<<App engine Public Ip>>:3000 and also through WAF with URL https://<<Public IP of global loadbalancer>>.nip.io
- Launch two instances of Nikto Web Vulnerability Scanner. Click on Applications on the top left and then click Web Application Analysis → Web Vulnerability Scanners → Nikto
4 . To initiate the scans, utilize the following commands. One in each of the open Nikto windows
- nikto -h http://<<App engine Public IP>>:3000
- nikto -h https://<<Public IP of global loadbalancer>>.nip.io
Reviewing Web Application Vulnerability Scan Results
After the scans finish running, we can quickly review the results by looking at the highlighted lines in the figures below.
- When going to the Juice Shop website directly, we see that the scanner sent 7k+ requests1 to the web server and as a result found 2 errors and 150+ items/issues which could then be used to develop further attack and exploitation scenarios
Figure 1 (Scan Start)
Figure 2 (Scan End)
- While scanning the Juice Shop website protected by Cloud Armor, we see that the scanner made >3x the number of requests1 when compared to scanning the website directly in Step 1 and still it did not find any errors to report. Similarly, this scan is only able to report <1% of the number of items/issues for further investigation as compared to when scanning the website directly
1 Request count for https://<<Public IP of global loadbalancer>>.nip.io taken from baseline of scans for comparison
Understanding What Happened
Upon reviewing the Nikto scan outputs, we see the pattern as shown in the below table. This clearly indicates that when going through theCloud armor, the scanner is not as effective in assessing the web application and identifying
Reviewing WAF logs
- Go to cloud armor security Policy and select logging .It will direct you to log explorer with query written ,run query .You can change time window as per your requirement. By default 6 week logging data is retained .
Metric for Cloud security Policy
Key Takeaway
Using security scanners to perform web application vulnerability assessment scans to expose vulnerabilities in a target web application is a common technique used by attackers. When external adversaries can perform these scans against your web applications, they are able to learn about your application design and its vulnerabilities which could potentially lead to exploitation.
For web applications secured with it, Cloud armor can detect and protect against reconnaissance attacks executed with security scanners at the network edge, with its out of the box ruleset.
Next Step
Test Cloud armor capabilities for SQL injection and cross site scripting .
Part-3: Vulnerability Exploitation
