WAF0201 - Barracuda Web Application Firewall - Advanced Features - Lab Guide

Barracuda Web Application Firewall
WAF0201 - Barracuda Web Application Firewall -

Advanced Features
LabGuide
Official learning material for Barracuda Campus training courses.
Table of Contents
Task 1 Connect to Environment............................................................................... 2
Task 2 Creating Allow/Deny/Redirect URL ACLs ................................................. 3
Task 3 Adaptive Profiling ........................................................................................... 6
Task 4 JSON Security .................................................................................................. 9
Task 5 Client-Side Protection ..................................................................................13
WAF0201 - Barracuda Web Application Firewall - Advanced Features
Task 1 Connect to Environment

Lab Instructions
In this lab, you will connect to your environment.
Step-by-Step Guide
1 Connect to the Admin Client
1. Open an RDP client.
2. Navigate to the Admin Client.
3. Use the following credentials to log into the system:
• Username: student
• Password: CudaL3aner!
2 Connect to the Attack Client

4. Open an RDP client.
5. Navigate to the Attack Client.
6. Use the following credentials to log into the system:
• Username: student
• Password: CudaL3aner!
7. If the first login fails, click OK and reenter the credentials.
Barracuda Campus | 2
Task 2 Creating Allow/Deny/Redirect

URL ACLs
Lab Instructions
In this lab, you will explore how to use extended matching rules to allow and deny requests based on
various characteristics. You will be using extended matching rules to enhance security for the Badstore
website.
• Understand the role of extended matching rules in the Barracuda Web Application Firewall.
• Create allow and deny rules for certain types of requests and test them.
• Apply a recommended policy fix from the Barracuda Web Application Firewall log.
Step-by-Step Guide
1 Create a service
1. From the Admin Client, open Firefox, and navigate to: http://wafa.cudau.org:8000
2. Log in with the WAF credentials:
• Username: admin
• Password: CudaL3arner!
3. Navigate to BASIC > Services.
4. Create a new service with the following settings:
• Service Name: badstore
• Type: HTTP
• Virtual IP Address: <VIP1>
• Port: 80
• Real Servers: <Badstore IP>
• Create Group: No
• Service Groups: default
5. Click Add.
3 Block all requests to the Badstore website

1. In the WAF web interface, go to BASICS > Services and make sure that your Badstore service has
its mode set to Active.
2. Go to WEBSITES > Allow/Deny/Redirect.
3. Next to the Badstore service, click the drop-down menu and select Add. The Create ACL window
opens.
4. Create an ACL rule with the following settings:
• Name: DenyAll
• Enable URL ACL: Yes
• Action: Deny and Log
5. Click Save. The Deny All rule is listed under the Badstore service.
6. On the Attack Client, in firefox_dev, try to navigate to: http://www.bigfishinc.org

Now, regardless of which portion of the site that you try to access, you are greeted with a cryptic
error message that has no useful information. However, restricting all access to the website is not
very useful. Create some more rules that will allow only specific URLs to be accessible.
4 Allow a subset of paths to be accessed

1. In the WAF web interface, go to WEBSITES > Allow/Deny/Redirect.
2. In the Badstore service, create a rule that lets users access only CGI scripts.
• Name: CGI
• URL Match: /*.cgi
• Action: Process
3. With firefox_dev, navigate to: http://www.bigfishinc.org/cgi-bin/badstore.cgi
4. As you navigate through the website, some of the page content is displayed, but all images
appear to be broken.
5 Test the configuration and tweak it

1. In the WAF web interface, go to BASIC > Web Firewall Log and view the requests. This information
should help you craft additional rules that render the website correctly.
2. On the WEBSITES > Allow/Deny page, create rules to allow these types of files:
• /*.gif
• /*.js
• /*.css
• /*.jpg
• /*.png
You can use the copy function to increase efficiency.
3. Try to navigate again to: http://www.bigfishinc.org/cgi-bin/badstore.cgi

4. Now as you navigate through the website, all of the pages should render correctly.
6 Create a rule from a Web Firewall Log entry

1. At the very bottom of the left-hand navigational bar of the Badstore website, click on the
Badstore.net Manual v1.2 link.
2. This request is blocked because rules for handling PDFs have not been created yet. As a result, the
blanket Deny All rule is applied.
3. In the WAF web interface, go to BASIC > Web Firewall Logs.
4. To examine the request, click Details at the end of the row for the request. The Web Firewall Log
Details window opens with information about the request that can be used to modify the behavior
of the WAF for this particular service, if necessary.
5. Next to the Web Firewall log entry that blocked the PDF from loading, click Fix. The Policy Fix
window opens and displays specific recommendations for fixing the rule.
6. Click Apply Fix.
7. Click Close.
8. In the WAF interface, go to WEBSITES > Allow/Deny/Redirect. Notice that a new rule allowing the
Badstore PDF manual has been added.
9. In the Badstore site, access the Badstore PDF manual. This time, the manual download loads
successfully.
10. Try to access the following directories:
• /backup/
• /supplier/
Notice that these attempts at forceful browsing are now blocked by the Barracuda Web
Application Firewall.
7 Delete all the manual URL ACLs

1. In the Barracuda Web Application Firewall web interface, go to WEBSITES > Allow/Deny/Redirect.
2. Delete all the URL ACLs.
Task 3 Adaptive Profiling

Lab Instructions
In this lab, you will learn how to use adaptive profiling to automatically create a website profile. You
will create a profile describing allowed traffic for the Badstore web application. Then, you will configure
the Barracuda Web Application Firewall to suggest policy changes when exceptions to the policy are
encountered.
• Use the Adaptive Profiling module in the Barracuda Web Application Firewall to profile the
Badstore website.
• Fine-tune security policies and profile exceptions.
Step-by-Step Guide
1 Configure Adaptive Profiling
1. In the WAF web interface, go to WEBSITES > Website Profiles.
2. From the Website drop-down menu, select the Badstore service.
3. Click Start Learning. A prompt appears.
4. Click OK.
5. On the Attack Client, close all the Firefox_dev instances.
6. Open firefox_dev and navigate to: http://www.bigfishinc.org
7. This will clear any user session that you currently have on the Badstore website so that you are
seen as an unregistered user.
8. Click the first seven links in the left-hand navigational bar.
9. On the Login/Register page, register as a new user and log in.
10. While you are logged in as the new user, click the first seven links in the left-hand navigational bar
again.
2 Investigate Response Learning and Hidden Parameter Protection

1. Wait a few minutes and then go to WEBSITES > Website Profiles.
The Barracuda Web Application Firewall uses the requests that you submitted by clicking on the
page links to construct a profile of the web application. It has learned several URLs and a series of
parameters. This is because the Badstore website uses the same URL with different parameter
values to generate different pages.
2. In the URL Profiles section, select the check box in front of /cgi-b/badstore.cgi. The Parameter
Profiles section populates.
3. Look for the role parameter. It might be found on the second page of the Parameter Profiles
section.
4. Note that the role parameter is marked as Read Only.
5. View the HTML source code of the Login/Register page on the Badstore website. The Barracuda
Web Application Firewall was also able to extract the parameters of the form. Use the search
function to find the role parameter. As you can see, the hidden parameter named Role was
extracted from the response and profiled as a parameter for the URL. Since it is a hidden variable,
it was marked as read-only because there is no interface for the user to change the value of the
variable.
6. Click Stop Learning.
7. Click OK.
3 Edit the profile for the HTTP service

1. In the Barracuda Web Application Firewall web interface, go to WEBSITES > Website Profiles.
2. Next to the Start Learning button, click Edit.
3. Confirm that Use Profile is set to Yes, and set Strict Profile Check to Yes.
4. Change the Mode of the profile to Active.
5. Click Save.
6. Select all entries in the URL Profiles section, and then select Lock All Profiles from the More Actions
drop-down menu. The mode for all profiles is set to Active.
7. Edit each URL profile by clicking the Edit button next to the profile. For each profile, change
Hidden Parameter Protection from Forms & URLs to Forms.
8. Click Save.
4 Navigate to the Badstore website

1. Log into the Attack Client.
2. Close all the Firefox_dev instances.
3. Open Firefox_dev and navigate to: http://www.bigfishinc.org/cgi-bin/Badstore.cgi
4. Click the Home link.
5. As an unregistered user, confirm that you can access the website by clicking on the seven links
listed in the left-hand frame.
5 Tamper a login request

1. On the Badstore website, go to the Login/Register page.
2. Select ZAP in ProxySwitcher.
3. Open ZAP.
4. Make sure that the Break tab is shown.
5. In ZAP, click the green circle to trap any future requests. The circle turns red.
6. In the Badstore website, fill out the form fields to register a new account, and click Register.
The request is trapped in ZAP.
7. Change the Role parameter to A
8. Click the blue Play button to send the register request. The web page opens with an error
message that states “URL Not Found”.
9. In the WAF web interface, go to the BASIC > Web Firewall Logs page and examine the logs.
10. The tampering is registered as an attack because you attempted to change the value of a
parameter that was profiled as read-only.
11. Select No Proxy in ProxySwitcher.
6 Use Adaptive Profiling to prevent forceful browsing

1. On the Badstore website, try to browse to a URL directory that does not have a link on the main
page, such as:
• http://www.bigfishinc.org/backup
• http://www.bigfishinc.orgbackup/supplier
2. Notice that these attempts at forceful browsing are now blocked by the Barracuda Web
Application Firewall.
3. In the Barracuda Web Application Firewall web interface, go to the BASIC > Web Firewall Logs
page and find the log entries for these blocked attempts at forced browsing.
4. Notice the error message is “No URL Profile Match”. The request was denied because this URL
does not have a profile. This is emblematic of the positive security model employed by the
Barracuda Web Application Firewall.
7 Configure exception profiling

1. In the WAF web interface, go to WEBSITES > Exception Profiling.
2. In the Exception Profiling section, click Edit for the Badstore service.
3. From the Exception Profiling Level list, select Low.
4. Click Save.
5. Go to WEBSITES > Exception Heuristics.
6. In the Exception Profiling Level section, select Low and click Show Definition.
7. In the Request Violation Handling section, change the following settings for the Forceful Browsing
> No URL Profile Match violation group and type:
• Setting: Manual
• Trigger Count: 1
8. Click Save.
8 Check the pending recommendations

1. On the Attack Client, in Firefox_dev, navigate to: http://www.bigfishinc.org/supplier/
2. The request fails.
3. In the WAF web interface, go to WEBSITES > Exception Profiling.
4. Check the Pending Recommendations section. Soon, you should see a pending recommendation
to create a URL profile for /supplier/.
5. Select the check box next to the pending recommendation and click Apply Fix.
6. Go to the WEBSITES > Website Profiles page and see that a new URL profile allowing supplier has
been added to the list.
7. In Firefox, navigate to: http://www.bigfishinc.org/supplier/ . The request is now successful.
9 Delete the website profile

1. Go to the WEBSITES > Profiles page and delete the learned URL ACLs.
2. Switch the Website Profile from Active to Passive.
Task 4 JSON Security

Lab Instructions
In this lab, you will learn how to set up JSON Security to protect your web application against REST
attacks.
Step-by-Step Guide
1 View the available API calls on the API server
1. On the Admin Client, in Firefox navigate to http://backend.cudau.org:8080/api/petstore/1.0.0/ui.
Different methods are supported for different actions. E.g. updates to pets are done via the PUT
method while states are requested via the GET method, the POST method is used for tasks such as
uploading images ore placing an order.
Notify your trainer if the page is not available
2 Create a Service for the REST Application and set it to active

1. In the WAF UI, navigate to BASIC > Services.
2. Create a new service with the following settings:
• Service Name: petstopre_api
• Type: HTTP
• Virtual IP Address: 172.30.1.102
• Port: 8080
• Real Servers: 172.30.1.220
• Create Group: No
• Service Groups: default
3. Click Add.
4. At the newly created service click Edit.
5. Set the Mode to Active.
Per default the port used for communication to the server is port 80, it needs to be changed.
6. At the server click Edit.

7. Change to port to 8080.
8. Click Save.
3 Setting up JSON Security

9. Navigate to Websites > JSON Security.
10. Click Import API Spec.
11. In the API Discover Wizard enter:

• Service: petstore_api
• API Specs to be used: Import new Spec file
• API Spec Name: petstore_api
12. At select file click Browse.
13. In the file upload window, select Desktop.
14. Open the JSON folder.
15. Select the petstore_chek.yaml file.
16. Click Open.
17. Click Next
The API Discovery Wizard shows the JSON profiles that will be configured.
18. View the JSON profiles the Wizard will create for the Service.
19. Click Next.
20. Make sure the JSON profile is set to active.
21. Choose the default-policy.
22. Click Next.
23. View the summary and click Apply.
24. In the pop-up window click OK.
The JSON profiles will be applied… this might take some minutes.
We are going to disable client profiling for this lab. Otherwise it will be marking request coming
from Insomnia as suspicious and challenge the client.
25. Go to Security Policies > Client Profile.

26. At Ckient Profile enter:
• Enable Client Profile Validation: No
27. Click Save.
4 Test the JSON profiles key profile

1. On the Attack Client, open Insomnia.
2. On the left select Login.
3. Click Send.
On the right you will see the response of the application. It should look like this. Indicating that the
login was successful.
4. On the left click Place order.
5. Click Send.
The WAF returns a 404 error. That should look similar to this.
6. On the Admin Client, go to the WAFs Webfirewall logs.

The request has been blocked.
7. View the Attack Details. The request has been blocked as the Max Number Value for the key
quantity has exceeded.
5 Test the JSON profile with a SQL injection

1. On the Attack Client, open Insomnia.
2. On the left, select SQL injection.
3. Click Send.
The WAF returns a 404 error. That should look similar to this.

5. The request has been blocked.
6. View the Attack Details. The request has been blocked as a SQL injection in the JSON Data has
been detected.
Test the JSON profiles by using a wrong method

1. On the Attack Client, open Insomnia from the desktop.
2. On the left select Login wrong method.
3. Click Send.
In Insomnia on the right you will see that the WAF has returned a 404 error, similar to this:

5. The request has been blocked.
6. View the Attack Details. The request has been blocked as the method PUT is not allowed for the
profile.
7. Go to Security Policies > Client Profile.

8. At Ckient Profile enter:
• Enable Client Profile Validation: Yes
9. Click Save.
Task 5 Client-Side Protection

5.1 Lab instructions
In this lab, you will learn how to use content security policies and sub-resource integrity with the
Barracuda Web Application Firewall.
Step-by-Step Guide
1 Add a Client-Side Protection Rule for the Badstore's Login Page
1. In the WAF web interface, go to Websites > Client-Side Protection.
2. On this page, click Add Rule, next to the Badstore service.
3. Enter the following:
• Rulename: loginregister
• URL Match: /cgi-bin/badstore.cgi
• Host Match: *
4. For Extended Match, click the Edit icon to display the Extended Match widget:
• Element Type: Parameter
• Element Name: Select the Others check box and enter action
• Operation: is equal to
• Value: loginregister
• Click Insert. The Header Expression field displays: Parameter action eq loginregister
• Click Apply.
• Click Save.
After the page has reloaded, the rule including the default content security policy appears in the table.
Note that the default CSP policy is in report-only mode. Only change the mode to block when you are
sure your configuration is working!
2 Add a Content Security Policy

1. At the default CSP policy, click the drop-down menu and select edit.
2. Enter the following:
• Status: On
• Mode: Report Only
• CSP Policy Action: Create Policy
• Default Source: Self
• Script Source > Scirpt Source Elements: Self
3. Click Save.
4. After the page has reloaded, open the Content Security Policy element. Note that it currently only
holds the the default source, the script source, and the report-uri.
3 Test the Content Security Policy

1. In Chrome, go to http://www.cudau.org/cgi-bin/badstore.cgi?action=loginregister .
2. Right-click and select Inspect. The DevTool opens.
3. Go to the Console tab. The first entry says that the inline style violates the default CSP and that
there is no style-src configured. So you need to set the style-src to unsafe-inline.
4. Close the DevTools.
4 Adjust the Content Security Policy

1. In the WAF GUI, click edit at the default_csp.
2. Click Style Source > Style Source and select Unsafe Inline.
3. Open the Content Security Policy Element. The style-src with the value unsafe-inline has
been added.

1. Go to Chrome and refresh the page.
2. Right-click and select Inspect. The DevTool opens.
3. Go to the Console tab. The first entry says that the inline style violates the style-src
configured and that style-src-element is not configured.
6 Adjust the Content Security Policy

1. In the WAF GUI, click edit at the default_csp.
2. Click Style Source > Style Source, Except for Styles Defined in Inline Attributes and select Self.
3. Open the Content Security Policy element. The style-src-element with the value self has
been added.

1. Go to Chrome and refresh the page
2. Right-click and select Inspect. The DevTool open.
3. Go to the Console tab. There are no more errors.
8 Add a Subresource Integrity policy

1. At the loginregister rule, select add SRI from the drop-down menu.
2. In the pop-up window, enter:
• Subresource Name: login_sri
• URL to inspect: https://www.cudau.org/cgi-bin/badstore.cgi?action=loginregister
3. Click Fetch Resource.
4. All the subresources present this URL appear, including their integrity tokens. In this example,
there is only one subresource with the URL /css/global.css.
5. Click Save.
6. The login_sri has been added to the table.
9 Test the Subresource Integrity Policy

1. Open Chrome and navigate to
http://badstore.cudau.org/cgi-bin/badstore.cgi?action=loginregister .
2. Right-click on the page and select inspect.
3. Open the header.
4. Press ctrl+f and search for integrity.
5. Note that the integrity hash is the same as present as in the SRI configuration. With this hash, the
browser can verify if the sub-resource has been altered.
© Barracuda Networks Inc., Revision: 8/18/2022Barracuda Networks Inc., 2021.
The information contained within this document is confidential and proprietary to Barracuda Networks Inc. No portion of
this document may be copied, distributed, publicized or used for other than internal documentary purposes without the
written consent of an official representative of Barracuda Networks Inc. All specifications are subject to change without
notice. Barracuda Networks Inc. assumes no responsibility for any inaccuracies in this document. Barracuda Networks Inc.
reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

WAF0201 - Barracuda Web Application Firewall - Advanced Features - Lab Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WAF0201 - Barracuda Web Application Firewall - Advanced Features - Lab Guide

Uploaded by

Copyright:

Available Formats

Barracuda Web Application Firewall

WAF0201 - Barracuda Web Application Firewall -

Task 1 Connect to Environment

2 Connect to the Attack Client

Task 2 Creating Allow/Deny/Redirect

3 Block all requests to the Badstore website

6. On the Attack Client, in firefox_dev, try to navigate to: http://www.bigfishinc.org

4 Allow a subset of paths to be accessed

5 Test the configuration and tweak it

You can use the copy function to increase efficiency.

3. Try to navigate again to: http://www.bigfishinc.org/cgi-bin/badstore.cgi

6 Create a rule from a Web Firewall Log entry

7 Delete all the manual URL ACLs

Task 3 Adaptive Profiling

2 Investigate Response Learning and Hidden Parameter Protection

3 Edit the profile for the HTTP service

4 Navigate to the Badstore website

5 Tamper a login request

6 Use Adaptive Profiling to prevent forceful browsing

7 Configure exception profiling

8 Check the pending recommendations

9 Delete the website profile

Task 4 JSON Security

Notify your trainer if the page is not available

2 Create a Service for the REST Application and set it to active

6. At the server click Edit.

3 Setting up JSON Security

11. In the API Discover Wizard enter:

25. Go to Security Policies > Client Profile.

4 Test the JSON profiles key profile

4. On the left click Place order.

6. On the Admin Client, go to the WAFs Webfirewall logs.

5 Test the JSON profile with a SQL injection

4. On the Admin Client, go to the WAFs Webfirewall logs.

Test the JSON profiles by using a wrong method

4. On the Admin Client, go to the WAFs Webfirewall logs.

7. Go to Security Policies > Client Profile.

Task 5 Client-Side Protection

2 Add a Content Security Policy

3 Test the Content Security Policy

4 Adjust the Content Security Policy

5 Test the Content Security Policy

6 Adjust the Content Security Policy

7 Test the Content Security Policy

8 Add a Subresource Integrity policy

9 Test the Subresource Integrity Policy

You might also like