Tutorial 1 : Setup Web Application Security Protection and Detection Lab in Google Cloud-WAF tuning .

This lab cover total 4 blogs, Below are links for reference

Part-1: WAF tuning (This blog)

Part-2: Reconnaissance Playbook

Part-3: Vulnerability Exploitation

Part-4: Data Disclosure and Exfiltration

The purpose of the Web application security protection and detection lab tutorial is to demonstrate Cloud Armor (WAF &DDoS) capabilities in identifying, detecting, and protecting against suspicious activities and potential attacks against your Web Applications. This first tutorial in a four-part series walks you through creating a lab environment for testing against Google cloud WAF’s protections. This lab focuses on the OWASP protection ruleset and logging capabilities of GCP WAF.

In this tutorial you will:

1. Deploy a demo environment in Google Cloud and Fine tune WAF
2. Create Dashboard and metric for WAF
3. Deploy Kali linux on VM

Prerequisites

1. A Active GCP project to deploy the deploy environment

• Do not have a GCP subscription? https://cloud.google.com/free

2. Monitoring enabled on Load balancer and cloud armor security Policy

3. Familiarity with Kali linux.

Deployment Steps & Architecture

1. Deploy Juice shop in GCP project on MIG

GitHub - juice-shop/juice-shop: OWASP Juice Shop: Probably the most modern and sophisticated…

1. Deploy https global load balancer with MIG instance as backend
2. Create security policies and attach them with https load balancer.
3. Deploy Kali linux on VM .
4. Fine tune WAF security policy

Architecture

Successful attack path is one where malicious data is sent directly by the attacker to the OWASP Juice Shop web application leading to successful exploitation. Attack path defended by WAF represents the path where malicious data is inspected by Cloud armor WAF and blocked with its out of the box ruleset before it reaches the web application.

! IMPORTANT: For the scenarios demonstrated in this document, OWASP Juice Shop application was running on HTTP port 3000.

WAF Tuning

evaluatePreconfiguredExpr(‘xss-stable’, [‘owasp-crs-v020901-id981136-xss’, ‘owasp-crs-v020901-id981138-xss’])

Highlighted list of signatures is excluded from the default rule xss stable.

CVE sensitivity is marked in below document check for reference from which level suits you best.https://coreruleset.org/faq/#paranoialevel

Tuning Google Cloud Armor WAF rules

Below is example to configure Policy, rule and attach it to backend.

Next Step

Test Cloud armor capabilities for SQL injection and cross site scripting .

Part-2: Reconnaissance Playbook