Az - Front Door

Reading time: 5 minutes

Bypass de RemoteAddr

This blog post explains how when you are configuring some network restrictions with Azure Front Door you can filter based on RemoteAddr or SocketAddr. Being the main difference that RemoteAddr actually uses the value from the X-Forwarded-For HTTP header making it very easy to bypass.

To bypass this rule automated tools can be used that brute-force IP addresses until it finds a valid one.

This is mentioned in the Microsoft documentation.

Credential Skimming via WAF Custom Rules + Log Analytics

Abuse Azure Front Door (AFD) WAF Custom Rules in combination with Log Analytics to capture cleartext credentials (or other secrets) traversing the WAF. This is not a CVE; it’s misuse of legitimate features by anyone who can modify the WAF policy and read its logs.

Key behavior enabling this:

• AFD WAF Custom Rules can match on request elements including headers and POST parameters.
• When a Custom Rule uses the action Log traffic only, evaluation continues and traffic proceeds (no short-circuit), keeping the flow normal/stealthy.
• AFD writes verbose diagnostics to Log Analytics under Category FrontDoorWebApplicationFirewallLog. Matched payload details are included in details_matches_s along with the rule name in ruleName_s.

Fluxo de ponta a ponta

1. Identify target POST parameters

• Inspecione o formulário de login e anote os nomes dos parâmetros (p.ex., username, password).

2. Enable diagnostics to Log Analytics

• No seu Front Door profile > Monitoring > Diagnostic settings, envie logs para um Log Analytics workspace.
• No mínimo, habilite a category: FrontDoorWebApplicationFirewallLog.

3. Create a malicious Custom Rule

• Front Door WAF Policy > Custom rules > New rule:
• Name: nome inocente, p.ex., PasswordCapture
• Priority: número baixo (p.ex., 5) para que avalie cedo
• Match: POST arguments username and password com Operator = Any (match any value)
• Action: Log traffic only

4. Generate events

curl -i -X POST https://example.com/login \
-H "Content-Type: application/x-www-form-urlencoded" \
--data "username=alice&password=S3cret!"

5. Extrair credenciais do Log Analytics (KQL)

AzureDiagnostics
| where Category == "FrontDoorWebApplicationFirewallLog"
| where ruleName_s == "PasswordCapture"
| project TimeGenerated, ruleName_s, details_matches_s
| order by TimeGenerated desc

Não recebi o conteúdo do arquivo az-front-door.md. Cole aqui o texto que você quer traduzir e eu realizarei a tradução para português conforme as instruções (preservando markdown, tags, links e termos técnicos).

AzureDiagnostics
| where Category == "FrontDoorWebApplicationFirewallLog" and ruleName_s == "PasswordCapture"
| extend m = parse_json(details_matches_s)
| mv-expand match = m.matches
| project TimeGenerated, ruleName_s, match.matchVariableName, match.matchVariableValue
| order by TimeGenerated desc

Os valores correspondentes aparecem em details_matches_s e incluem os valores em cleartext que corresponderam à sua regra.

Por que Front Door WAF e não Application Gateway WAF?

• Os logs de custom-rule do Application Gateway WAF não incluem os valores POST/header ofensivos da mesma forma; os diagnósticos do AFD WAF incluem o conteúdo correspondente em details, permitindo a captura de credenciais.

Furtividade e variantes

• Defina Action para Log traffic only para evitar interromper requisições e para manter outras regras sendo avaliadas normalmente.
• Use um Priority numérico baixo para que sua regra de logging seja avaliada antes de quaisquer regras posteriores de Block/Allow.
• Você pode direcionar quaisquer nomes/locais sensíveis, não apenas params POST (por exemplo, headers como Authorization ou API tokens em campos do body).

Pré-requisitos

• Uma instância existente do Azure Front Door.
• Permissões para editar a política do AFD WAF e ler o Log Analytics workspace associado.

References

• https://trustedsec.com/blog/azures-front-door-waf-wtf-ip-restriction-bypass
• Skimming Credentials with Azure's Front Door WAF
• Azure WAF on Front Door monitoring and logging