Barracuda Web Application Firewall Foundation - WAF01. Lab Guide

Similar documents
Barracuda Web Application Firewall Advanced Security Features - WAF02

How to Configure Authentication and Access Control (AAA)

Load Balancing Nginx Web Servers with OWASP Top 10 WAF in Azure

Best Practices for Security Certificates w/ Connect

Lab Guide. Barracuda NextGen Firewall F-Series Microsoft Azure - NGF0501

Sophos UTM Web Application Firewall For: Microsoft Exchange Services

VII. Corente Services SSL Client

Load Balancing Web Servers with OWASP Top 10 WAF in Azure

Configuring Remote Access using the RDS Gateway

Load Balancing For Clustered Barracuda CloudGen WAF Instances in the New Microsoft Azure Management Portal

Chime for Lync High Availability Setup

INSTALLATION GUIDE Spring 2017

CounterACT User Directory Plugin

Load Balancing Nginx Web Servers with OWASP Top 10 WAF in AWS

pinremote Manual Version 4.0

Barracuda SSL VPN Integration

Locate your Advanced Tools and Applications

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

akkadian Global Directory 3.0 System Administration Guide

Deliver and manage customer VIP POCs. The lab will be directed and provide you with step-by-step walkthroughs of key features.

VMware Horizon View Deployment

SonicWall Web Application Firewall 2.0. AWS Deployment Guide

Release Notes Version 7.8

Installing and Configuring vcloud Connector

eshop Installation and Data Setup Guide for Microsoft Dynamics 365 Business Central

Load Balancing Web Servers with OWASP Top 10 WAF in AWS

vrealize Orchestrator Load Balancing

Release Notes. Dell SonicWALL SRA Release Notes

Proofpoint Threat Response

Equitrac Embedded for Sharp OSA. Setup Guide Equitrac Corporation

Azure for On-Premises Administrators Practice Exercises

Barracuda Firewall Release Notes 6.6.X

Cisco Unified Serviceability

Realms and Identity Policies

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Wireless LAN Controller Web Authentication Configuration Example

Configuring the SMA 500v Virtual Appliance

System Setup. Accessing the Administration Interface CHAPTER

FAQ. General Information: Online Support:

VMware Enterprise Systems Connector Installation and Configuration. JULY 2018 VMware Identity Manager 3.2 VMware Identity Manager VMware AirWatch 9.

Amazon AppStream 2.0: SOLIDWORKS Deployment Guide

Parallels Remote Application Server

Azure MFA Integration with NetScaler

Revised: 08/02/ Click the Start button at bottom left, enter Server Manager in the search box, and select it in the list to open it.

New World ERP-eSuite

MultiSite Manager. User Guide

vrealize Orchestrator Load Balancing

Configuring Vulnerability Assessment Devices

271 Waverley Oaks Rd. Telephone: Suite 206 Waltham, MA USA

Using SpringPeople Virtual Labs

Identity Policies. Identity Policy Overview. Establishing User Identity through Active Authentication

Load Balancing Sage X3 ERP. Deployment Guide v Copyright Loadbalancer.org, Inc

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

IT Access Portal User Guide (Employees)

Configure WSA to Upload Log Files to CTA System

UNT System Campus VPN Guide

Configuring SSL. SSL Overview CHAPTER

Web Application Penetration Testing

Contents Overview... 2 Part I Connecting to the VPN via Windows OS Accessing the Site with the View Client Installing...

User Guide. Version R92. English

Threat Response Auto Pull (TRAP) - Installation Guide

Release Notes. Dell SonicWALL SRA Release Notes

Equitrac Embedded for Sharp OSA

Getting Started Guide. for SimStore Super Users. Updated 9/28/11 OP EA 1

Endian Proxy / Firewall

Google Authenticator User Guide

UC for Enterprise (UCE) NEC Centralized Authentication Service (NEC CAS)

Lab - Remote Desktop in Windows 8

Load Balancing Microsoft IIS. Deployment Guide v Copyright Loadbalancer.org

Installing and Configuring vcloud Connector

Using SSL/TLS with Active Directory / LDAP

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Configuring SSL. SSL Overview CHAPTER

NBC-IG Installation Guide. Version 7.2

Ekran System v.6.0 Privileged User Accounts and Sessions (PASM)

Link Platform Manual. Version 5.0 Release Jan 2017

Hypertext Transfer Protocol Over Secure Sockets Layer (HTTPS)

Agility 2018 Hands-on Lab Guide. VDI the F5 Way. F5 Networks, Inc.

Configuring SSL CHAPTER

Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

User Identity Sources

Mobile Inventory Tracking & Sales Management Software. Installation Procedure

Checklist. Version 2.0 October 2015

Lab - Share Resources in Windows

VI. Corente Services Client

Atlona Manuals Software AMS

SecurEnvoy Microsoft Server Agent

3.1 Getting Software and Certificates

ACS 5.x: LDAP Server Configuration Example

Equitrac Integrated for Océ

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

MICROSOFT OFFICE Desktop Applications. Student User Guide Overview

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Understanding of basic networking concepts (routing, switching, VLAN, firewall functionality)

ForeScout Extended Module for Tenable Vulnerability Management

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

F5 Azure Cloud Try User Guide. F5 Networks, Inc. Rev. September 2016

with Access Manager 51.1 What is Supported in This Release?

Transcription:

Barracuda Web Application Firewall Foundation - WAF01 Lab Guide Official training material for Barracuda certified trainings and Autorized Training Centers. Edition 2018 Revision 1.0 campus.barracuda.com campus@barracuda.com

Barracuda Networks Inc., January 31, 2018 12:13 PM. The information contained within this document is confidential and proprietary to Barracuda Networks Inc. No portion of this document may be copied, distributed, publicized or used for other than internal documentary purposes without the written consent of an official representative of Barracuda Networks Inc. All specifications are subject to change without notice. Barracuda Networks Inc. assumes no responsibility for any inaccuracies in this document. Barracuda Networks Inc. reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Foundation Lab Guide 1.1 Connect To Environment 5 1.1.1 Lab Instructions 5 1.1.2 Step-by-Step Guide 5 1.2 Attacking a Web Application 7 1.2.1 Lab Instructions 7 1.2.2 Step-by-Step Guide 7 1.3 Performing the Initial and Service Configuration 11 1.3.1 Lab Instructions 11 1.3.2 Step-by-Step Guide 11 1.4 Clustering 15 1.4.1 Lab Instructions 15 1.4.2 Step-by-Step Guide 15 1.5 Attacking a Web Application Protected by the WAF Default Configuration 17 1.5.1 Lab Instructions 17 1.5.2 Step-by-Step Guide 17 1.6 Access Control 1.6.1 Lab Instructions 1.6.2 Step-by-Step Guide

Student Guide Barracuda WAF - Foundation Lab Connect To Environment 5 1.1 Connect To Environment 1.1.1 Lab Instructions In this Lab you will connect to your enviroment. 1.1.2 Step-by-Step Guide Connecting to the environment bastion host 1. Open an RDP client 2. Connect to the hostname and port provided by the trainer using the format hostname:port 3. Accept/ignore any certificate validation warnings 4. Use the following credentials to login into the system: a. Username: student b. Password: CudaL3arner! Connecting to the environment Admin Client 5. In the bastion host open the Microsoft RDP client located in the Windows taskbar 6. Enter the <Admin Client IP Address> 7. Use the following credentials to login into the system: a. Username: student b. Password: campuspass Connecting to the environment AttackClient 8. In the bastion host, open an additional RDP connection: a. Right click on the Microsoft RDP client b. Click Remote Desktop Connection 9. Enter the <Attack Client IP Address> 10. Use the following credentials to login into the system: a. Username: student b. Password: campuspass

6 Attacking a Web Application Barracuda WAF - Foundation Lab Student Guide

Student Guide Barracuda WAF - Foundation Lab Attacking a Web Application 7 1.2 Attacking a Web Application 1.2.1 Lab Instructions In this lab, you will learn how to use some active reconnaissance techniques and how to exploit the found vulnerabilities. Perform reconnaissance on the Badstore website. Based on collected data, launch SQL, cookie tampering, and forceful browsing attacks. 1.2.2 Step-by-Step Guide Connect to the Attack Client 1. Open an RDP client and navigate to the Admin Client: 198.51.100.254 2. Log in: Username: student Password: campuspass 3. If the first login fails, click ok and reenter the credentials. Perform reconnaissance using Nikto to find potential security vulnerabilities 1. Open Firefox_dev (Applications > Internet) 2. Navigate to: http://badstore.bigfishinc.org 3. Click Home. You will see that the website uses CGI (Common Gateway Interface). 4. Open the Terminal Emulator (Applications). 5. At the command prompt, enter: /opt/nikto/program/nikto.pl -h http://badstore.bigfishinc.org The output displays the HTTP methods that are allowed, the version information about the software packages the server is running, and other vulnerabilities. 6. Leave the Terminal Emulator open. 7. In Firefox_dev, navigate to the following paths: http://badstore.bigfishinc.org/backup http://badstore.bigfishinc.org/cgi-bin/test.cgi Administrators can use the /backup/ path to perform backups. This indicates that there may be an administrator role for this website. The output displays that the website uses cookies and probably uses Base64 encoding in other portions of the website. Log in as a user by using an SQL injection attack 1. Click Login/Register. 2. Log in using 1 OR 1=1-- (make sure you end your statement with a space!) as the email address, leaving the password blank. You are logged in as Test User. Test User must be the first record in the user database. 3. Click View Previous Orders to view the user s order history. 4. Because this page displays a variable number of records, try populating it with data from a different database or table using the UNION command. This lets you retrieve data from a different table in the MySQL database. If itemdb is the naming convention for items, there may be a userdb. 5. Log into the Badstore website using: 1 union select * from userdb-- (make sure you end your statement with a space!) 6. Click View Previous Orders. Instead of a list of items, a list of users is displayed. The final column may indicate a user type.

Get ready to place an order 1. Click Login/Register. 2. Register for a new account using the following details: Full Name: hacker Email Address: hacker@cudau.org Password: hacker Password Hint: green The home page opens, and Welcome hacker is displayed on the top of the page. 3. Click What s New. 4. Select the first three items listed, and click Add items to Cart. The home page opens. At the top of the page, Cart contains 3 items at $5024.00 is displayed. 5. Click View Cart. 6. Click Place Order to proceed to the checkout. 7. WITHOUT yet clicking Place Order, enter credit card number 6011 0000 0000 0004, expiration date 05/20. Perform a cookie tampering attack 1. In Firefox_dev, click on the ProxySwitcher extension and select ZAP 2. Open ZAP (Applications > Internet) Wait until ZAP starts, then click Start without changing the default setting when asked if the session should be persistent, and click No for the automatic updates 3. Click + (the plus button) and add the Break tab to the right panel. 4. Click on the green circle to set the break on all requests. The green circle will turn red. 5. On the Badstore web page, click Place Order. 6. The prompt Thank you for using Discover appears. 7. Click OK. ZAP traps the request. 8. Cancel the option to have ZAP always on top. 9. Right-click on the trapped request (Break tab) and click Find... 10. Find the number 5024 and change it to the number 1. Note that the number is included in the cleartext cookie. Don t use the num-pad keys because they might cause strange behavior. 11. In the OWASP ZAP, click the blue Play button to submit the edited request. 12. If another request is trapped, click the blue Play button again. 13. Click View Previous Orders. Notice that the credit card number is displayed. 14. The purchase completes, with a charge of $1 instead of $5024. Perform a forceful browsing attack 1. Tamper with the CGI parameter in the address bar: Try action=manage Try action=setup Try action=admin 2. The forceful browsing attack succeeds, and the Secret Administration Portal is displayed. 3. Try to view the sales report. You are rejected. 4. Click the Back button.

Student Guide Barracuda WAF - Foundation Lab Capture and de-encode a cookie to change the user role Attacking a Web Application 9 5. In ZAP, click the green circle in the menu bar. The circle turns red, indicating that all requests will be trapped in ZAP. 6. In the Badstore website, click the Do it button to view the sales report. The request is trapped in ZAP. 7. In OWASP ZAP, copy the contents of the cookie (everything after Cookie: SSOid= ). 8. In OWASP ZAP, open Tools > Encode/Decode/Hash. 9. Paste the cookie contents into the upper box, and click the Decode tab. OWASP ZAP converts any hexadecimal characters into ASCII by replacing %3D with equal signs and %0A with carriage returns (Enter key). The converted text appears in the URL Decode box. 10. Select all of the contents of the URL Decode box, and copy them to your clipboard with Ctrl+C. 11. Delete ALL the contents of the upper box. 12. Paste the contents of your clipboard into the upper box. 13. The text decodes and appears in the Base 64 Decode box. You can see that the cookie contains the parameter U, which indicates you are a regular user. 14. Copy the contents of the Base 64 Decode box to your clipboard with Ctrl+C. 15. Delete the contents of the upper-most box 16. Paste the contents of your clipboard into the upper box 17. Change the U at the end of the decoded string to an A. Re-encode the cookie 1. Click the Encode tab. The Base 64-encoded version of the cookie appears in the Base 64 Encode box. 2. Copy the contents of the Base 64 Encode box into your clipboard with Ctrl+C. 3. Delete the contents of the upper box. 4. Paste the contents of your clipboard into the upper box. 5. The URL-encoded version appears in the URL Encode box. 6. Make sure that the last character in the cookie is a %0A by entering a single carriage return by pressing the Enter Key at the end of the text in the upper box. 7. Copy the contents of the URL Encode box into your clipboard using Ctrl+C. 8. Replace the captured cookie in ZAP with the cookie from your clipboard. 9. Click the blue Play button to submit the request to the Badstore website. 10. You may have to submit several packets. The request should succeed, and all of the customer records for the site are displayed. 11. Click the ProxySwitcher extension, and select No Proxy

10 Performing the Initial and Service Configuration Barracuda WAF - Foundation Lab Student Guide

Student Guide Barracuda WAF - Foundation Lab Performing the Initial and Service Configuration 11 1.3 Performing the Initial and Service Configuration 1.3.1 Lab Instructions This lab will guide you through some necessary changes in the initial setup of your Barracuda Web Application Firewall and the creation of an HTTP and HTTPS service. 1.3.2 Step-by-Step Guide Connect to the Admin Client 1. Open an RDP client and navigate to Admin Client: 10.1.1.254 2. Log in: Username: student Password: campuspass 3. If the first login fails, click ok and reenter the credentials. Perform the initial configuration 1. From the Admin Client, open Firefox, and navigate to: http://waf9a.cudau.org:8000 2. Log in with the WAF credentials: Username: admin Password: admin 3. Go to BASIC > Administration and change the following configuration settings: Session Expiration Length: 120 minutes System Alerts Email Address: postmaster@cudau.org System Contact Email Address: postmaster@cudau.org 4. Click Save 5. Continue by changing the admin password: Old Password: admin New Password: campuspass Retype the password. 6. Click Save Password. 7. Go to ADVANCED > Secure Administration and check the configuration: Web Interface HTTPS/SSL Port:8443 8. Click Save. 9. From another tab, navigate to https://waf9a.cudau.org:8443 and continue through the certificate security check. 10. Log in with the new WAF credentials. 11. Go to ADVANCED > Secure Administration page and configure: HTTPS/SSL Access Only: Yes 12. Click Save. Create a service 1. Navigate to BASIC > Services. 2. Create a new service with the following settings:

Service Name: badstore Type: HTTP Virtual IP Address: <VIP1> Port: 80 Real Servers: <Badstore IP> Create Group: No Service Groups: default 3. Click Add t By t default, a new service is set to Passive mode when it is created. In Passive mode, traffic is not blocked. Instead, attacks and malicious requests will be logged. Create and load an SSL certificate 1. In the WAF web interface, go to BASIC > Certificates. 2. In the Certificate Generation section, click Create Certificate. 3. In the Certificate Generation window, specify the required information for your certificate: Certificate Name (Do not use spaces) Common Name Country Code State or Province Locality (City) Organization (Company) Name 4. Click Generate Certificate. The certificate is now accessible on the BASIC > Certificates page. You can also select it from the service creation workflow. Create an HTTPS service 1. Navigate to BASIC > Services. 2. Create a new service with the following settings: Service Name: Badstore_ssl Virtual IP Address: <VIP1> Type: HTTPS Port:443 Real Servers: <Badstore IP> Certificate: Select the certificate that you just created. 3. Click Add t When t the service is added, it is created on port 443 on the front end. However, the backend server has been created on port 80 by default. Because the backend is running on port 443 on SSL, you must change the backend settings.

Student Guide Barracuda WAF - Foundation Lab Performing the Initial and Service Configuration 13 4. Click Edit next to the real server and make the following changes: Port:443 Server uses SSL:Yes Validate Server Certificate: No t The t WAF will not be able to validate the certificate because the backend server uses a self-signed certificate. 5. In Firefox_dev, navigate to: https://www.cudau.org A warning that the certificate is untrusted appears. You can view the certificate and see that it is the self-generated certificate you just created. 6. Click through the warning, and the Badstore website opens. 7. Return to the WAF interface and check Basic > Access Logs to make sure that the request is processed by the right service (badstore_ssl).

Student Guide Barracuda WAF - Foundation Lab Clustering 15 1.4 Clustering 1.4.1 Lab Instructions This lab will guide you through the process of clustering two Web Application Firewalls. 1.4.2 Step-by-Step Guide Configure a Cluster Shared Secret in WAF9a 1. From the Management Client, open Firefox, navigate to http://waf9a.cudau.org:8443 and log into the WAF management interface. 2. Navigate to ADVANCED > High Availability and configure: Cluster Shared Secret: campussecret 3. Click Save. Perform the initial configuration 1. From the Management Client, open a Firefox tab, and navigate to: http://waf9b.cudau.org:8000 2. Log in with the default WAF credentials. 3. Go to BASIC > IP Configuration and configure: Default Host Name: waf9b Default Domain:cudau.org 4. Click Save. t If t the interface does not automatically reset in 2 minutes, navigate to http://waf9b.cudau. org:8000 and log in again. 5. Go to BASIC > Administration and change the following configuration settings: Session Expiration Length: 120 minutes System Alerts Email Address: postmaster@cudau.org System Contact Email Address: postmaster@cudau.org 6. Click Save. 7. Continue by changing the admin password: Old Password: admin New Password: campuspass Retype the password. 8. Click Save Password. 9. Go to ADVANCED > Secure Administration and configure: Web Interface HTTPS/SSL Port:8443 10. Click Save. 11. From another tab, log into https://waf9b.cudau.org:8443 and continue through the certificate security check. 12. Login with the new credentials. 13. In the waf9b tab, go to the ADVANCED > Secure Administration page and configure: HTTPS/SSL Access Only: Yes

16 Clustering Barracuda WAF - Foundation Lab Student Guide Configure a Cluster Shared Secret in WAF9b and start the clustering procedure 1. Open Firefox, navigate to http://waf9b.cudau.org:8443 and log into the WAF management interface. 2. Navigate to ADVANCED > High Availability and configure: Cluster Shared Secret: campussecret 3. Click Save. 4. Login again into the WAF management interface. 5. Enter the Peer IP Address <waf9a wan IP> 6. Click Join Cluster. 7. Wait until the clustering procedure finishes. 8. Verify that the configuration has been synced successfully by checking the BASIC > Services page. 9. Verify that Badstore is still reachable from the client. 10. Close the waf9b tab.

Student Guide Barracuda WAF - Foundation Lab Attacking a Web App through the WAF 17 1.5 Attacking a Web App through the WAF 1.5.1 Lab Instructions In this lab, you will learn how to create, activate, and test a Barracuda Web Application Firewall service. Launch an attack against the passive service. Activate the service and then relaunch the attack tasks. 1.5.2 Step-by-Step Guide Activate the service 1. In the Barracuda Web Application Firewall web interface, go to BASIC > Services. 2. Edit the Badstore service. 3. Change the Mode of the service to Active. 4. Click Save. Turn on Data Theft Protection 1. In the Barracuda Web Application Firewall interface, go to WEBSITES > Advanced Security. 2. Click Edit next to the default-url-policy for the Badstore service in the Advanced Security section. 3. Click Yes next to Enable Data Theft Protection. 4. Click Save. Connect to the Attack Client 1. Open an RDP client and navigate to the Attack Client: 198.51.100.254 2. Log in: Username: student Password: campuspass 3. If the first login fails, click ok and reenter the credentials. Launch an SQL attack against the active service and check the Firewall logs 1. In Firefox_dev navigate to: http://www.bigfishinc.org 2. Click What s New. 3. In the Quick Item search field, enter 1 OR 1=1-- (make sure you end your statement with a space!). The query will fail, and the error message is cryptic and uninformative. 4. On the Admin Client, in the WAF web interface, go to the BASIC > Web Firewall Logs page. The attack is listed with an action of DENIED. Perform reconnaissance using Nikto against the service 1. Open a second instance of the terminal emulator (Applications). 2. At the command prompt, enter: /opt/nikto/program/nikto.pl -h http://www.bigfishinc.org 3. Note that Nikto now displays very little information about the Badstore site, compared to the Nikto scan launched directly against the Badstore website earlier. You can easily compare the two attempts by placing the two terminal instances next to each other. 4. In the WAF web interface, go to the BASIC > Web Firewall Logs page. Note the large number of attacks launched by the Nikto scan - and blocked by the Barracuda Web Application Firewall.

18 Attacking a Web App through the WAF Barracuda WAF - Foundation Lab Student Guide Attempt a cookie tampering attack 1. Following the instructions from Lab 1.2.2 ( Get ready to place an order and Perform a cookie tampering attack ), attempt to perform a cookie tampering attack by changing the value of the cost of the shopping cart in the cookie. Notice that the Barracuda Web Application Firewall prevents this attack. 2. In the WAF web interface, go to the BASIC > Web Firewall Logs page. Notice that the attack has been logged as a Cookie Tampering attack. 3. On the Badstore site, click View Previous Orders. Notice that any credit card numbers are now cloaked. 4. On the Management Client, in the WAF web interface, go to the BASIC > Web Firewall Logs page. Notice that an Identity Theft Pattern Matched has been logged and cloaked. 5. If you still have the ProxySwitcher set to ZAP, change it to No Proxy Launch an SQL attack against the passive service and check the Web Firewall logs. 1. In Firefox_dev navigate to: https://www.bigfishinc.org 2. Click What s New. 3. In the Quick Item search field, enter 1 OR 1=1-- 4. The query will be successful. Even encrypted services are vulnerable to web application attacks! 5. In the WAF web interface, go to BASIC > Services. 6. Edit the Badstore_ssl service and change the Mode from Passive to Active. 7. Click Save 8. In the Badstore website, on the What s New page, in the Quick Item Search field, enter 1 OR 1=1-- 9. The attack is blocked and an uninformative error message is displayed because the service is now active.

Student Guide Barracuda WAF - Foundation Lab Access Control 19 1.6 Access Control 1.6.1 Lab Instructions In this lab, you will learn how to configure the Barracuda Web Application Firewall to use an external LDAP server to authenticate users for the admin section of the Badstore website. Configure the Barracuda Web Application Firewall to use an external LDAP server for authentication. 1.6.2 Step-by-Step Guide Configure an LDAP server 1. In the WAF web interface, go to ACCESS CONTROL > Authentication Services. 2. Under the LDAP tab, specify the following settings: Realm Name: cudau.org Server Name/IP: 10.1.1.10 Server Port: 389 Secure Connection Type: none Bind DN (Username): CN=admin,DC=CUDAU,DC=ORG Base DN: DC=CUDAU,DC=ORG Bind Password: secret Login Attribute: uid Group Name Attribute: gid Query For Group: Yes 3. Click Test LDAP. The LDAP test succeeds. 4. Click Add. The cudau.org service is added to the Existing Authentication Services table. 5. Go to ACCESS CONTROL > Authentication Policies. 6. Click Edit Authentication for the Badstore service. Specify the following settings: Change Status to On. From the Authentication Service list, select cudau.org. Click Save Configure authorization 1. Go to ACCESS CONTROL > Authentication Policies. 2. Click Add Authorization for the Badstore service 3. In the Policy Name field, enter Auth0 4. For Status, select On. 5. In the URL Match field, enter /cgi-bin/badstore.cgi 6. For Extended Match, click the Edit icon to display the Extended Match widget: Element Type: Parameter Element Name: Select the Others check box and enter action Operation: is equal to Value: admin

20 Access Control Barracuda WAF - Foundation Lab Student Guide Click Insert. The Header Expression field displays: Parameter action eq admin Click Apply 7. Click Save. Authentication 1. In Firefox_dev, navigate to: http://www.bigfishinc.org/cgi-bin/badstore.cgi?action=admin You are prompted for a username and password. 2. Use the following credentials to log in: user: tommy pw: CudaL3arner! You will still not be able to view the Sales Report because your new user is not listed as an admin on the Badstore site.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback