Tutorial 4: Setup Web Application Security Protection and Detection Lab in Google Cloud — Data Disclosure and Exfiltration Playbook

This lab cover total 4 blogs, Below are links for reference

Part-1: WAF tuning

Part-2: Reconnaissance Playbook

Part-3: Vulnerability Exploitation

Part-4: Data Disclosure and Exfiltration (This Blog)

The last tutorial in this four-part series for Cloud Armor WAF protection is the data exfiltration playbook. The purpose of the Google cloud WAF security protection lab is to demonstrate Google WAF’s capabilities in identifying and protecting against suspicious activities and potential attacks against your web applications. This playbook explains how to test Cloud armor WAF’s protections against a SQL Injection (SQLi) attack .

In this tutorial you will:

1. Simulate SQL Injection (SQLi) attack against the target OWASP Juice Shop application directly and then attack the same instance of the web application protected through Cloud armor .
2. Observe the difference in the web application behavior in the two scenarios

Configuring Burp Suite and Firefox

Before you begin, please refer to the Configuring Burp Suite and Firefox section in the previous tutorial Vulnerability Exploitation Playbook setup Burp Suite and the Firefox web browser on the Kali VM.

Sensitive Data Exposure and Exfiltration

In this phase, the attacker is ready to use a vulnerability they have previously discovered, tested, and developed further to achieve their objective to access and exfiltrate data. In this playbook, we will perform a SQL Injection attack to disclose and then exfiltrate the list of all product in the OWASP Juice Shop application.

Performing SQL Injection against the Target Web Application

In this tutorial, you will perform a SQL Injection (SQLi) attack against the OWASP Juice Shop application two times.

1. Scenario 1: Performing SQL injection in the target web application directly
2. Scenario 2: Performing the same injection in the same target web application protected by Cloud armor on Https Load balancer

Scenario 1: Performing SQL Injection when going to the OWASP Juice Shop Application directly

1. Sign into the Kali VM using your credentials
2. Launch Burp Suite and ensure you have Burp Suite configured and running as described in the Configuring Burp Suite and Firefox section of Vulnerability Exploitation Playbook
3. Using Firefox, browse directly to the Juice Shop site by going to

http://<<App engine Public IP>>:3000

4. In Burp Suite, check the Proxy → HTTP history tab for the request and response data for this website

5. In the search bar on the Juice Shop website, type “apple” and examine the request and response in Burp Suite

6. We see that when searching, the client makes a connection to the /rest/products/search endpoint

7. The /rest/products/search endpoint of the OWASP Juice Shop application is vulnerable to SQL injection. In this tutorial, we will be exploiting the SQLi vulnerability in this endpoint

8. To exploit the SQLi vulnerability in the /rest/products/search endpoint, we will use Burp Suite’s Repeater functionality to inject a specifically crafted SQL query in the request to this endpoint

9. To do this, right click one of the GET requests to the /rest/products/search endpoint and then click Send to Repeater

Figure 1 — Request in Burp Repeater

10. When ready to perform the injection, we will copy/paste and append the following encoded SQL query to the Request URI /rest/products/search?q= (as value to the query parameter) in the Burp Repeater window

a. URL encoded SQL query

%71%77%65%72%74%27%29%29%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%69%64%2c%20%65%6d%61%69%6c%2c%20%70%61%73%73%77%6f%72%64%2c%20%27%34%27%2c%20%27%35%27%2c%20%27%36%27%2c%20%27%37%27%2c%20%27%38%27%2c%20%27%39%27%20%46%52%4f%4d%20%55%73%65%72%73%2d%2d

11. After appending the encoded query to the request URI, as value to the to the query parameter, click Go (or Send button)

12. You should see a successful response from the OWASP Juice Shop application with details of all the user and their details disclosed by the web application. This indicates that our SQL injection attack was successful

JSON data show all product details

• Tip: Data in the “Description” field in the server response is the password hash of the users which can be reversed using free tools available on the internet

Scenario 2: Performing SQL Injection when going to the OWASP Juice Shop Application through protected by Cloud armor

You will now attempt to perform SQL Injection with the same query when going to the OWASP Juice Shop site through Cloud armor security policy.

1. On Kali VM, launch a new instance of Burp Suite and the Firefox browser
2. Using Firefox, browse to https://<<Public IP of global loadbalancer>>.nip.io and check the Proxy → HTTP history tab for the request and response data for this website in Burp Suite

3. Search for “apple” in the search bar, find the request to the vulnerable /rest/products/search endpoint and send it to the Burp Repeater

Request in Burp Repeater

4. Append the encoded SQL query (from Step 10 in Scenario 1 above) as value to the query parameter in the Burp Repeater and click Go (or Send)

5. Upon examining the response, we find that the request was blocked by Cloud Armor on https Load balancer

Understanding What Happened

Upon reviewing the HTTP requests and responses for the two attempts to perform SQL Injection in the same instance of the Juice Shop application, we see the pattern as shown in the below table. This clearly indicates that the potentially malicious payload which could otherwise be stored in the application is not allowed through by Cloud armor security Policy

Reviewing WAF logs in the logs and metrics

Go to cloud armor security Policy and select logging .It will direct you to log explorer with query written ,run query .You can change time window as per your requirement. By default 6 week logging data is enabled

Open any entry and click on expand the nested field. It will give action taken and which rule in policy has denied this request.

Key Takeaway

SQL Injection (SQLi) is one of the most common type of application security vulnerability which allows an external adversary to exploit a vulnerable application to disclose and exfiltrate sensitive information in the application.

For web applications secured with it, Cloud armor can protect against SQL Injection (SQLi) attacks by detecting and blocking suspicious SQL queries at the network edge, with its out of the box ruleset.