Az - Front Door

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

RemoteAddr Bypass

This blog post explains how when you are configuring some network restrictions with Azure Front Door you can filter based on RemoteAddr or SocketAddr. Being the main difference that RemoteAddr actually uses the value from the X-Forwarded-For HTTP header making it very easy to bypass.

To bypass this rule automated tools can be used that brute-force IP addresses until it finds a valid one.

This is mentioned in the Microsoft documentation.

Credential Skimming via WAF Custom Rules + Log Analytics

Abuse Azure Front Door (AFD) WAF Custom Rules in combination with Log Analytics to capture cleartext credentials (or other secrets) traversing the WAF. This is not a CVE; it’s misuse of legitimate features by anyone who can modify the WAF policy and read its logs.

Key behavior enabling this:

  • AFD WAF Custom Rules can match on request elements including headers and POST parameters.
  • When a Custom Rule uses the action Log traffic only, evaluation continues and traffic proceeds (no short-circuit), keeping the flow normal/stealthy.
  • AFD writes verbose diagnostics to Log Analytics under Category FrontDoorWebApplicationFirewallLog. Matched payload details are included in details_matches_s along with the rule name in ruleName_s.

End-to-end workflow

  1. Identify target POST parameters

    • Inspect the login form and note parameter names (e.g., username, password).

  2. Enable diagnostics to Log Analytics

    • In your Front Door profile > Monitoring > Diagnostic settings, send logs to a Log Analytics workspace.
    • At minimum, enable the category: FrontDoorWebApplicationFirewallLog.

  3. Create a malicious Custom Rule

    • Front Door WAF Policy > Custom rules > New rule:
      • Name: innocuous name, e.g., PasswordCapture
      • Priority: low number (e.g., 5) so it evaluates early
      • Match: POST arguments username and password with Operator = Any (match any value)
      • Action: Log traffic only

  4. Generate events

curl -i -X POST https://example.com/login \
  -H "Content-Type: application/x-www-form-urlencoded" \
  --data "username=alice&password=S3cret!"
  1. Extract credentials from Log Analytics (KQL)
AzureDiagnostics
| where Category == "FrontDoorWebApplicationFirewallLog"
| where ruleName_s == "PasswordCapture"
| project TimeGenerated, ruleName_s, details_matches_s
| order by TimeGenerated desc

Useful parsing (optional):

AzureDiagnostics
| where Category == "FrontDoorWebApplicationFirewallLog" and ruleName_s == "PasswordCapture"
| extend m = parse_json(details_matches_s)
| mv-expand match = m.matches
| project TimeGenerated, ruleName_s, match.matchVariableName, match.matchVariableValue
| order by TimeGenerated desc

The matched values appear in details_matches_s and include the cleartext values that matched your rule.

Why Front Door WAF and not Application Gateway WAF?

  • Application Gateway WAF custom-rule logs don’t include the offending POST/header values the same way; AFD WAF diagnostics include matched content in details, enabling credential capture.

Stealth and variants

  • Set Action to Log traffic only to avoid breaking requests and to keep other rules evaluating normally.
  • Use a low numeric Priority so your logging rule evaluates before any later Block/Allow rules.
  • You can target any sensitive names/locations, not only POST params (e.g., headers like Authorization or API tokens in body fields).

Prerequisites

  • An existing Azure Front Door instance.
  • Permissions to edit the AFD WAF policy and read the associated Log Analytics workspace.

References

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks