Az - Front Door

Reading time: 4 minutes

RemoteAddr Bypass

This blog post explains how when you are configuring some network restrictions with Azure Front Door you can filter based on RemoteAddr or SocketAddr. Being the main difference that RemoteAddr actually uses the value from the X-Forwarded-For HTTP header making it very easy to bypass.

To bypass this rule automated tools can be used that brute-force IP addresses until it finds a valid one.

This is mentioned in the Microsoft documentation.

Credential Skimming via WAF Custom Rules + Log Analytics

Abuse Azure Front Door (AFD) WAF Custom Rules in combination with Log Analytics to capture cleartext credentials (or other secrets) traversing the WAF. This is not a CVE; it’s misuse of legitimate features by anyone who can modify the WAF policy and read its logs.

Key behavior enabling this:

• AFD WAF Custom Rules can match on request elements including headers and POST parameters.
• When a Custom Rule uses the action Log traffic only, evaluation continues and traffic proceeds (no short-circuit), keeping the flow normal/stealthy.
• AFD writes verbose diagnostics to Log Analytics under Category FrontDoorWebApplicationFirewallLog. Matched payload details are included in details_matches_s along with the rule name in ruleName_s.

엔드 투 엔드 워크플로우

1. Identify target POST parameters

• 로그인 폼을 확인하고 파라미터 이름(e.g., username, password)을 기록합니다.

2. Enable diagnostics to Log Analytics

• Front Door profile > Monitoring > Diagnostic settings에서 로그를 Log Analytics workspace로 전송합니다.
• 최소한 카테고리: FrontDoorWebApplicationFirewallLog를 활성화하세요.

3. Create a malicious Custom Rule

• Front Door WAF Policy > Custom rules > New rule:
• Name: 무해해 보이는 이름, 예: PasswordCapture
• Priority: 낮은 숫자(예: 5)로 설정하여 조기 평가되게 함
• Match: POST 인자 username 및 password, Operator = Any (모든 값 매칭)
• Action: Log traffic only

4. Generate events

curl -i -X POST https://example.com/login \
-H "Content-Type: application/x-www-form-urlencoded" \
--data "username=alice&password=S3cret!"

5. Log Analytics에서 자격 증명 추출 (KQL)

AzureDiagnostics
| where Category == "FrontDoorWebApplicationFirewallLog"
| where ruleName_s == "PasswordCapture"
| project TimeGenerated, ruleName_s, details_matches_s
| order by TimeGenerated desc

해당 파일의 내용을 받지 못했습니다. src/pentesting-cloud/azure-security/az-services/az-front-door.md 파일의 마크다운(내용)을 여기에 붙여넣어 주세요. 주신 규칙(코드·태그·링크·경로는 번역 금지 등)에 맞춰 한국어로 번역해 드리겠습니다.

AzureDiagnostics
| where Category == "FrontDoorWebApplicationFirewallLog" and ruleName_s == "PasswordCapture"
| extend m = parse_json(details_matches_s)
| mv-expand match = m.matches
| project TimeGenerated, ruleName_s, match.matchVariableName, match.matchVariableValue
| order by TimeGenerated desc

일치한 값들은 details_matches_s에 나타나며 규칙과 일치한 cleartext 값을 포함합니다.

Why Front Door WAF and not Application Gateway WAF?

• Application Gateway WAF의 custom-rule logs는 동일한 방식으로 문제를 일으킨 POST/header 값을 포함하지 않습니다; 반면 AFD WAF diagnostics는 details에 매칭된 콘텐츠를 포함하여 credential capture를 가능하게 합니다.

Stealth and variants

• 요청을 중단하지 않으려면 Action을 'Log traffic only'로 설정하고 다른 룰들이 정상적으로 평가되게 유지하세요.
• 낮은 숫자의 Priority를 사용하여 logging rule이 이후의 Block/Allow 룰들보다 먼저 평가되게 하세요.
• POST params뿐만 아니라 민감한 이름/위치(예: Authorization 같은 headers나 body fields의 API tokens)를 타깃으로 삼을 수 있습니다.

Prerequisites

• 기존의 Azure Front Door 인스턴스.
• AFD WAF policy를 편집하고 연결된 Log Analytics workspace를 읽을 수 있는 권한.

References

• https://trustedsec.com/blog/azures-front-door-waf-wtf-ip-restriction-bypass
• Skimming Credentials with Azure's Front Door WAF
• Azure WAF on Front Door monitoring and logging