Az - Front Door

Reading time: 5 minutes

RemoteAddr Bypass

This blog post unaelezea jinsi unapoweka vikwazo vya mtandao na Azure Front Door unaweza kuchuja kwa kuzingatia RemoteAddr au SocketAddr. Tofauti kuu ni kwamba RemoteAddr inatumia thamani kutoka kwa kichwa cha HTTP X-Forwarded-For, jambo linalofanya iwe rahisi sana kuiepuka.

Ili kupitisha kanuni hii, zinaweza kutumika zana za otomatiki ambazo brute-force IP addresses hadi zipate anwani halali.

Hii imetajwa katika the Microsoft documentation.

Credential Skimming via WAF Custom Rules + Log Analytics

Kutumia vibaya Azure Front Door (AFD) WAF Custom Rules kwa pamoja na Log Analytics kunasa cleartext credentials (au siri nyingine) zinazopita kupitia WAF. Hii si CVE; ni matumizi mabaya ya vipengele halali na yeyote anayeweza kubadilisha sera ya WAF na kusoma logs zake.

Tabia kuu zinazofanya iwezekane:

• AFD WAF Custom Rules zinaweza kufanana na vipengele vya request ikiwa ni pamoja na headers na POST parameters.
• Wakati Custom Rule inapotumia action Log traffic only, tathmini inaendelea na trafiki inaendelea (hakuna short-circuit), ikihifadhi mtiririko wa kawaida/stealthy.
• AFD inaandika diagnostics za kina kwa Log Analytics chini ya Category FrontDoorWebApplicationFirewallLog. Maelezo ya payload zilizolingana zimo katika details_matches_s pamoja na jina la sheria katika ruleName_s.

Mtiririko wa kazi kuanzia mwanzo hadi mwisho

1. Identify target POST parameters

• Chunguza fomu ya login na kumbuka majina ya parameter (mf., username, password).

2. Enable diagnostics to Log Analytics

• Katika Front Door profile yako > Monitoring > Diagnostic settings, tuma logs kwa Log Analytics workspace.
• Angalau, washa category: FrontDoorWebApplicationFirewallLog.

3. Create a malicious Custom Rule

• Front Door WAF Policy > Custom rules > New rule:
• Name: jina lisiloonekana hatari, mf., PasswordCapture
• Priority: nambari ndogo (mf., 5) ili itathminiwa mapema
• Match: POST arguments username and password with Operator = Any (match any value)
• Action: Log traffic only

4. Generate events

curl -i -X POST https://example.com/login \
-H "Content-Type: application/x-www-form-urlencoded" \
--data "username=alice&password=S3cret!"

5. Toa credentials kutoka Log Analytics (KQL)

AzureDiagnostics
| where Category == "FrontDoorWebApplicationFirewallLog"
| where ruleName_s == "PasswordCapture"
| project TimeGenerated, ruleName_s, details_matches_s
| order by TimeGenerated desc

I don't have the contents of src/pentesting-cloud/azure-security/az-services/az-front-door.md. Please paste the file text here and I'll translate it to Swahili, preserving all markdown/html/tags and links as requested.

AzureDiagnostics
| where Category == "FrontDoorWebApplicationFirewallLog" and ruleName_s == "PasswordCapture"
| extend m = parse_json(details_matches_s)
| mv-expand match = m.matches
| project TimeGenerated, ruleName_s, match.matchVariableName, match.matchVariableValue
| order by TimeGenerated desc

Thamani zilizolingana zinaonekana katika details_matches_s na zinajumuisha cleartext values zilizolingana na rule yako.

Kwa nini Front Door WAF na sio Application Gateway WAF?

• Application Gateway WAF custom-rule logs hazijumuishi kwa njia ile ile thamani za POST/header zinazosababisha tatizo; AFD WAF diagnostics zinajumuisha matched content katika details, kuruhusu kunasa kredensiali.

Stealth and variants

• Weka Action kuwa Log traffic only ili kuepuka kuvunja requests na ili rules nyingine ziendelee kutathminiwa kama kawaida.
• Tumia Priority ndogo ya namba ili logging rule yako itathmini kabla ya Block/Allow rules zozote zinazofuata.
• Unaweza kulenga majina/maeneo yoyote nyeti, sio tu POST params (mfano, headers kama Authorization au API tokens katika body fields).

Masharti

• Kuna instance ya Azure Front Door iliyopo.
• Idhini za kuhariri sera ya AFD WAF na kusoma Log Analytics workspace inayohusiana.

References

• https://trustedsec.com/blog/azures-front-door-waf-wtf-ip-restriction-bypass
• Skimming Credentials with Azure's Front Door WAF
• Azure WAF on Front Door monitoring and logging