Barracuda Web Application Firewall Foundation - WAF01 Lab Guide Official training material for Barracuda certified trainings and Autorized Training Centers. Edition 2018 Revision 1.0 campus.barracuda.com campus@barracuda.com
Barracuda Networks Inc., January 31, 2018 12:13 PM. The information contained within this document is confidential and proprietary to Barracuda Networks Inc. No portion of this document may be copied, distributed, publicized or used for other than internal documentary purposes without the written consent of an official representative of Barracuda Networks Inc. All specifications are subject to change without notice. Barracuda Networks Inc. assumes no responsibility for any inaccuracies in this document. Barracuda Networks Inc. reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Foundation Lab Guide 1.1 Connect To Environment 5 1.1.1 Lab Instructions 5 1.1.2 Step-by-Step Guide 5 1.2 Attacking a Web Application 7 1.2.1 Lab Instructions 7 1.2.2 Step-by-Step Guide 7 1.3 Performing the Initial and Service Configuration 11 1.3.1 Lab Instructions 11 1.3.2 Step-by-Step Guide 11 1.4 Clustering 15 1.4.1 Lab Instructions 15 1.4.2 Step-by-Step Guide 15 1.5 Attacking a Web Application Protected by the WAF Default Configuration 17 1.5.1 Lab Instructions 17 1.5.2 Step-by-Step Guide 17 1.6 Access Control 1.6.1 Lab Instructions 1.6.2 Step-by-Step Guide
Student Guide Barracuda WAF - Foundation Lab Connect To Environment 5 1.1 Connect To Environment 1.1.1 Lab Instructions In this Lab you will connect to your enviroment. 1.1.2 Step-by-Step Guide Connecting to the environment bastion host 1. Open an RDP client 2. Connect to the hostname and port provided by the trainer using the format hostname:port 3. Accept/ignore any certificate validation warnings 4. Use the following credentials to login into the system: a. Username: student b. Password: CudaL3arner! Connecting to the environment Admin Client 5. In the bastion host open the Microsoft RDP client located in the Windows taskbar 6. Enter the <Admin Client IP Address> 7. Use the following credentials to login into the system: a. Username: student b. Password: campuspass Connecting to the environment AttackClient 8. In the bastion host, open an additional RDP connection: a. Right click on the Microsoft RDP client b. Click Remote Desktop Connection 9. Enter the <Attack Client IP Address> 10. Use the following credentials to login into the system: a. Username: student b. Password: campuspass
6 Attacking a Web Application Barracuda WAF - Foundation Lab Student Guide
Student Guide Barracuda WAF - Foundation Lab Attacking a Web Application 7 1.2 Attacking a Web Application 1.2.1 Lab Instructions In this lab, you will learn how to use some active reconnaissance techniques and how to exploit the found vulnerabilities. Perform reconnaissance on the Badstore website. Based on collected data, launch SQL, cookie tampering, and forceful browsing attacks. 1.2.2 Step-by-Step Guide Connect to the Attack Client 1. Open an RDP client and navigate to the Admin Client: 198.51.100.254 2. Log in: Username: student Password: campuspass 3. If the first login fails, click ok and reenter the credentials. Perform reconnaissance using Nikto to find potential security vulnerabilities 1. Open Firefox_dev (Applications > Internet) 2. Navigate to: http://badstore.bigfishinc.org 3. Click Home. You will see that the website uses CGI (Common Gateway Interface). 4. Open the Terminal Emulator (Applications). 5. At the command prompt, enter: /opt/nikto/program/nikto.pl -h http://badstore.bigfishinc.org The output displays the HTTP methods that are allowed, the version information about the software packages the server is running, and other vulnerabilities. 6. Leave the Terminal Emulator open. 7. In Firefox_dev, navigate to the following paths: http://badstore.bigfishinc.org/backup http://badstore.bigfishinc.org/cgi-bin/test.cgi Administrators can use the /backup/ path to perform backups. This indicates that there may be an administrator role for this website. The output displays that the website uses cookies and probably uses Base64 encoding in other portions of the website. Log in as a user by using an SQL injection attack 1. Click Login/Register. 2. Log in using 1 OR 1=1-- (make sure you end your statement with a space!) as the email address, leaving the password blank. You are logged in as Test User. Test User must be the first record in the user database. 3. Click View Previous Orders to view the user s order history. 4. Because this page displays a variable number of records, try populating it with data from a different database or table using the UNION command. This lets you retrieve data from a different table in the MySQL database. If itemdb is the naming convention for items, there may be a userdb. 5. Log into the Badstore website using: 1 union select * from userdb-- (make sure you end your statement with a space!) 6. Click View Previous Orders. Instead of a list of items, a list of users is displayed. The final column may indicate a user type.
Get ready to place an order 1. Click Login/Register. 2. Register for a new account using the following details: Full Name: hacker Email Address: hacker@cudau.org Password: hacker Password Hint: green The home page opens, and Welcome hacker is displayed on the top of the page. 3. Click What s New. 4. Select the first three items listed, and click Add items to Cart. The home page opens. At the top of the page, Cart contains 3 items at $5024.00 is displayed. 5. Click View Cart. 6. Click Place Order to proceed to the checkout. 7. WITHOUT yet clicking Place Order, enter credit card number 6011 0000 0000 0004, expiration date 05/20. Perform a cookie tampering attack 1. In Firefox_dev, click on the ProxySwitcher extension and select ZAP 2. Open ZAP (Applications > Internet) Wait until ZAP starts, then click Start without changing the default setting when asked if the session should be persistent, and click No for the automatic updates 3. Click + (the plus button) and add the Break tab to the right panel. 4. Click on the green circle to set the break on all requests. The green circle will turn red. 5. On the Badstore web page, click Place Order. 6. The prompt Thank you for using Discover appears. 7. Click OK. ZAP traps the request. 8. Cancel the option to have ZAP always on top. 9. Right-click on the trapped request (Break tab) and click Find... 10. Find the number 5024 and change it to the number 1. Note that the number is included in the cleartext cookie. Don t use the num-pad keys because they might cause strange behavior. 11. In the OWASP ZAP, click the blue Play button to submit the edited request. 12. If another request is trapped, click the blue Play button again. 13. Click View Previous Orders. Notice that the credit card number is displayed. 14. The purchase completes, with a charge of $1 instead of $5024. Perform a forceful browsing attack 1. Tamper with the CGI parameter in the address bar: Try action=manage Try action=setup Try action=admin 2. The forceful browsing attack succeeds, and the Secret Administration Portal is displayed. 3. Try to view the sales report. You are rejected. 4. Click the Back button.
Student Guide Barracuda WAF - Foundation Lab Capture and de-encode a cookie to change the user role Attacking a Web Application 9 5. In ZAP, click the green circle in the menu bar. The circle turns red, indicating that all requests will be trapped in ZAP. 6. In the Badstore website, click the Do it button to view the sales report. The request is trapped in ZAP. 7. In OWASP ZAP, copy the contents of the cookie (everything after Cookie: SSOid= ). 8. In OWASP ZAP, open Tools > Encode/Decode/Hash. 9. Paste the cookie contents into the upper box, and click the Decode tab. OWASP ZAP converts any hexadecimal characters into ASCII by replacing %3D with equal signs and %0A with carriage returns (Enter key). The converted text appears in the URL Decode box. 10. Select all of the contents of the URL Decode box, and copy them to your clipboard with Ctrl+C. 11. Delete ALL the contents of the upper box. 12. Paste the contents of your clipboard into the upper box. 13. The text decodes and appears in the Base 64 Decode box. You can see that the cookie contains the parameter U, which indicates you are a regular user. 14. Copy the contents of the Base 64 Decode box to your clipboard with Ctrl+C. 15. Delete the contents of the upper-most box 16. Paste the contents of your clipboard into the upper box 17. Change the U at the end of the decoded string to an A. Re-encode the cookie 1. Click the Encode tab. The Base 64-encoded version of the cookie appears in the Base 64 Encode box. 2. Copy the contents of the Base 64 Encode box into your clipboard with Ctrl+C. 3. Delete the contents of the upper box. 4. Paste the contents of your clipboard into the upper box. 5. The URL-encoded version appears in the URL Encode box. 6. Make sure that the last character in the cookie is a %0A by entering a single carriage return by pressing the Enter Key at the end of the text in the upper box. 7. Copy the contents of the URL Encode box into your clipboard using Ctrl+C. 8. Replace the captured cookie in ZAP with the cookie from your clipboard. 9. Click the blue Play button to submit the request to the Badstore website. 10. You may have to submit several packets. The request should succeed, and all of the customer records for the site are displayed. 11. Click the ProxySwitcher extension, and select No Proxy
10 Performing the Initial and Service Configuration Barracuda WAF - Foundation Lab Student Guide
Student Guide Barracuda WAF - Foundation Lab Performing the Initial and Service Configuration 11 1.3 Performing the Initial and Service Configuration 1.3.1 Lab Instructions This lab will guide you through some necessary changes in the initial setup of your Barracuda Web Application Firewall and the creation of an HTTP and HTTPS service. 1.3.2 Step-by-Step Guide Connect to the Admin Client 1. Open an RDP client and navigate to Admin Client: 10.1.1.254 2. Log in: Username: student Password: campuspass 3. If the first login fails, click ok and reenter the credentials. Perform the initial configuration 1. From the Admin Client, open Firefox, and navigate to: http://waf9a.cudau.org:8000 2. Log in with the WAF credentials: Username: admin Password: admin 3. Go to BASIC > Administration and change the following configuration settings: Session Expiration Length: 120 minutes System Alerts Email Address: postmaster@cudau.org System Contact Email Address: postmaster@cudau.org 4. Click Save 5. Continue by changing the admin password: Old Password: admin New Password: campuspass Retype the password. 6. Click Save Password. 7. Go to ADVANCED > Secure Administration and check the configuration: Web Interface HTTPS/SSL Port:8443 8. Click Save. 9. From another tab, navigate to https://waf9a.cudau.org:8443 and continue through the certificate security check. 10. Log in with the new WAF credentials. 11. Go to ADVANCED > Secure Administration page and configure: HTTPS/SSL Access Only: Yes 12. Click Save. Create a service 1. Navigate to BASIC > Services. 2. Create a new service with the following settings:
Service Name: badstore Type: HTTP Virtual IP Address: <VIP1> Port: 80 Real Servers: <Badstore IP> Create Group: No Service Groups: default 3. Click Add t By t default, a new service is set to Passive mode when it is created. In Passive mode, traffic is not blocked. Instead, attacks and malicious requests will be logged. Create and load an SSL certificate 1. In the WAF web interface, go to BASIC > Certificates. 2. In the Certificate Generation section, click Create Certificate. 3. In the Certificate Generation window, specify the required information for your certificate: Certificate Name (Do not use spaces) Common Name Country Code State or Province Locality (City) Organization (Company) Name 4. Click Generate Certificate. The certificate is now accessible on the BASIC > Certificates page. You can also select it from the service creation workflow. Create an HTTPS service 1. Navigate to BASIC > Services. 2. Create a new service with the following settings: Service Name: Badstore_ssl Virtual IP Address: <VIP1> Type: HTTPS Port:443 Real Servers: <Badstore IP> Certificate: Select the certificate that you just created. 3. Click Add t When t the service is added, it is created on port 443 on the front end. However, the backend server has been created on port 80 by default. Because the backend is running on port 443 on SSL, you must change the backend settings.
Student Guide Barracuda WAF - Foundation Lab Performing the Initial and Service Configuration 13 4. Click Edit next to the real server and make the following changes: Port:443 Server uses SSL:Yes Validate Server Certificate: No t The t WAF will not be able to validate the certificate because the backend server uses a self-signed certificate. 5. In Firefox_dev, navigate to: https://www.cudau.org A warning that the certificate is untrusted appears. You can view the certificate and see that it is the self-generated certificate you just created. 6. Click through the warning, and the Badstore website opens. 7. Return to the WAF interface and check Basic > Access Logs to make sure that the request is processed by the right service (badstore_ssl).
Student Guide Barracuda WAF - Foundation Lab Clustering 15 1.4 Clustering 1.4.1 Lab Instructions This lab will guide you through the process of clustering two Web Application Firewalls. 1.4.2 Step-by-Step Guide Configure a Cluster Shared Secret in WAF9a 1. From the Management Client, open Firefox, navigate to http://waf9a.cudau.org:8443 and log into the WAF management interface. 2. Navigate to ADVANCED > High Availability and configure: Cluster Shared Secret: campussecret 3. Click Save. Perform the initial configuration 1. From the Management Client, open a Firefox tab, and navigate to: http://waf9b.cudau.org:8000 2. Log in with the default WAF credentials. 3. Go to BASIC > IP Configuration and configure: Default Host Name: waf9b Default Domain:cudau.org 4. Click Save. t If t the interface does not automatically reset in 2 minutes, navigate to http://waf9b.cudau. org:8000 and log in again. 5. Go to BASIC > Administration and change the following configuration settings: Session Expiration Length: 120 minutes System Alerts Email Address: postmaster@cudau.org System Contact Email Address: postmaster@cudau.org 6. Click Save. 7. Continue by changing the admin password: Old Password: admin New Password: campuspass Retype the password. 8. Click Save Password. 9. Go to ADVANCED > Secure Administration and configure: Web Interface HTTPS/SSL Port:8443 10. Click Save. 11. From another tab, log into https://waf9b.cudau.org:8443 and continue through the certificate security check. 12. Login with the new credentials. 13. In the waf9b tab, go to the ADVANCED > Secure Administration page and configure: HTTPS/SSL Access Only: Yes
16 Clustering Barracuda WAF - Foundation Lab Student Guide Configure a Cluster Shared Secret in WAF9b and start the clustering procedure 1. Open Firefox, navigate to http://waf9b.cudau.org:8443 and log into the WAF management interface. 2. Navigate to ADVANCED > High Availability and configure: Cluster Shared Secret: campussecret 3. Click Save. 4. Login again into the WAF management interface. 5. Enter the Peer IP Address <waf9a wan IP> 6. Click Join Cluster. 7. Wait until the clustering procedure finishes. 8. Verify that the configuration has been synced successfully by checking the BASIC > Services page. 9. Verify that Badstore is still reachable from the client. 10. Close the waf9b tab.
Student Guide Barracuda WAF - Foundation Lab Attacking a Web App through the WAF 17 1.5 Attacking a Web App through the WAF 1.5.1 Lab Instructions In this lab, you will learn how to create, activate, and test a Barracuda Web Application Firewall service. Launch an attack against the passive service. Activate the service and then relaunch the attack tasks. 1.5.2 Step-by-Step Guide Activate the service 1. In the Barracuda Web Application Firewall web interface, go to BASIC > Services. 2. Edit the Badstore service. 3. Change the Mode of the service to Active. 4. Click Save. Turn on Data Theft Protection 1. In the Barracuda Web Application Firewall interface, go to WEBSITES > Advanced Security. 2. Click Edit next to the default-url-policy for the Badstore service in the Advanced Security section. 3. Click Yes next to Enable Data Theft Protection. 4. Click Save. Connect to the Attack Client 1. Open an RDP client and navigate to the Attack Client: 198.51.100.254 2. Log in: Username: student Password: campuspass 3. If the first login fails, click ok and reenter the credentials. Launch an SQL attack against the active service and check the Firewall logs 1. In Firefox_dev navigate to: http://www.bigfishinc.org 2. Click What s New. 3. In the Quick Item search field, enter 1 OR 1=1-- (make sure you end your statement with a space!). The query will fail, and the error message is cryptic and uninformative. 4. On the Admin Client, in the WAF web interface, go to the BASIC > Web Firewall Logs page. The attack is listed with an action of DENIED. Perform reconnaissance using Nikto against the service 1. Open a second instance of the terminal emulator (Applications). 2. At the command prompt, enter: /opt/nikto/program/nikto.pl -h http://www.bigfishinc.org 3. Note that Nikto now displays very little information about the Badstore site, compared to the Nikto scan launched directly against the Badstore website earlier. You can easily compare the two attempts by placing the two terminal instances next to each other. 4. In the WAF web interface, go to the BASIC > Web Firewall Logs page. Note the large number of attacks launched by the Nikto scan - and blocked by the Barracuda Web Application Firewall.
18 Attacking a Web App through the WAF Barracuda WAF - Foundation Lab Student Guide Attempt a cookie tampering attack 1. Following the instructions from Lab 1.2.2 ( Get ready to place an order and Perform a cookie tampering attack ), attempt to perform a cookie tampering attack by changing the value of the cost of the shopping cart in the cookie. Notice that the Barracuda Web Application Firewall prevents this attack. 2. In the WAF web interface, go to the BASIC > Web Firewall Logs page. Notice that the attack has been logged as a Cookie Tampering attack. 3. On the Badstore site, click View Previous Orders. Notice that any credit card numbers are now cloaked. 4. On the Management Client, in the WAF web interface, go to the BASIC > Web Firewall Logs page. Notice that an Identity Theft Pattern Matched has been logged and cloaked. 5. If you still have the ProxySwitcher set to ZAP, change it to No Proxy Launch an SQL attack against the passive service and check the Web Firewall logs. 1. In Firefox_dev navigate to: https://www.bigfishinc.org 2. Click What s New. 3. In the Quick Item search field, enter 1 OR 1=1-- 4. The query will be successful. Even encrypted services are vulnerable to web application attacks! 5. In the WAF web interface, go to BASIC > Services. 6. Edit the Badstore_ssl service and change the Mode from Passive to Active. 7. Click Save 8. In the Badstore website, on the What s New page, in the Quick Item Search field, enter 1 OR 1=1-- 9. The attack is blocked and an uninformative error message is displayed because the service is now active.
Student Guide Barracuda WAF - Foundation Lab Access Control 19 1.6 Access Control 1.6.1 Lab Instructions In this lab, you will learn how to configure the Barracuda Web Application Firewall to use an external LDAP server to authenticate users for the admin section of the Badstore website. Configure the Barracuda Web Application Firewall to use an external LDAP server for authentication. 1.6.2 Step-by-Step Guide Configure an LDAP server 1. In the WAF web interface, go to ACCESS CONTROL > Authentication Services. 2. Under the LDAP tab, specify the following settings: Realm Name: cudau.org Server Name/IP: 10.1.1.10 Server Port: 389 Secure Connection Type: none Bind DN (Username): CN=admin,DC=CUDAU,DC=ORG Base DN: DC=CUDAU,DC=ORG Bind Password: secret Login Attribute: uid Group Name Attribute: gid Query For Group: Yes 3. Click Test LDAP. The LDAP test succeeds. 4. Click Add. The cudau.org service is added to the Existing Authentication Services table. 5. Go to ACCESS CONTROL > Authentication Policies. 6. Click Edit Authentication for the Badstore service. Specify the following settings: Change Status to On. From the Authentication Service list, select cudau.org. Click Save Configure authorization 1. Go to ACCESS CONTROL > Authentication Policies. 2. Click Add Authorization for the Badstore service 3. In the Policy Name field, enter Auth0 4. For Status, select On. 5. In the URL Match field, enter /cgi-bin/badstore.cgi 6. For Extended Match, click the Edit icon to display the Extended Match widget: Element Type: Parameter Element Name: Select the Others check box and enter action Operation: is equal to Value: admin
20 Access Control Barracuda WAF - Foundation Lab Student Guide Click Insert. The Header Expression field displays: Parameter action eq admin Click Apply 7. Click Save. Authentication 1. In Firefox_dev, navigate to: http://www.bigfishinc.org/cgi-bin/badstore.cgi?action=admin You are prompted for a username and password. 2. Use the following credentials to log in: user: tommy pw: CudaL3arner! You will still not be able to view the Sales Report because your new user is not listed as an admin on the Badstore site.