Professional Documents
Culture Documents
LabGuide
Official learning material for Barracuda Campus training courses.
Table of Contents
Task 1 Attacking a Web Application ....................................................................... 2
Task 2 Performing the Initial and Service Configuration ................................... 7
Task 3 Clustering ........................................................................................................10
Task 4 Attacking a Web App through the WAF .................................................12
Task 5 Bot Mitigation ................................................................................................ 14
Task 6 Access Control ...............................................................................................16
WAF01 - Barracuda Web Application Firewall - Foundation
Step-by-Step Guide
1 Connect to the Attack Client
1. Open an RDP client.
2. In the RDP settings, set the color depth to 16 bit.
3. Navigate to the Attack Client.
4. Log in:
• Username: student
• Password: CudaL3aner!
5. If the first login fails, click OK and reenter the credentials.
Barracuda Campus | 2
WAF01 - Barracuda Web Application Firewall - Foundation
15. Open Nikto from the desktop. At the command prompt, enter:
nikto.pl -h http://badstore.bigfishinc.org
The output displays the HTTP methods that are allowed, the version information about the
software packages the server is running, and other vulnerabilities.
Barracuda Campus | 3
WAF01 - Barracuda Web Application Firewall - Foundation
Barracuda Campus | 4
WAF01 - Barracuda Web Application Firewall - Foundation
11. Find the number 5024 and change it to the number 1. Note that the number is included in the
cleartext cookie.
Don’t use the num-pad keys because they might cause strange behavior.
12. In the OWASP ZAP, click the blue Play button to submit the edited request.
13. If another request is trapped, click the blue Play button again.
14. Click View Previous Orders. Notice that the credit card number is displayed.
15. The purchase completes, with a charge of $1 instead of $5024.
16. In Firefox_dev, switch back to no Proxy.
Barracuda Campus | 5
WAF01 - Barracuda Web Application Firewall - Foundation
Barracuda Campus | 6
WAF01 - Barracuda Web Application Firewall - Foundation
Step-by-Step Guide
1 Connect to the Admin Client
1. Open an RDP client and navigate to Admin Client.
2. Log in:
• Username: student
• Password: CudaL3arner!
3. If the first login fails, click OK and reenter the credentials.
Barracuda Campus | 7
WAF01 - Barracuda Web Application Firewall - Foundation
10. From another tab, navigate to https://wafa.cudau.org:8443 and continue through the certificate
security check.
11. Log in with the new WAF credentials.
12. Go to ADVANCED > Secure Administration page and configure:
• HTTPS/SSL Access Only: Yes
13. Click Save.
3 Create a service
1. Navigate to BASIC > Services.
2. Create a new service with the following settings:
• Service Name: Badstore
• Type: HTTP
• Virtual IP Address: <VIP1>
• Port: 80
• Real Servers: <Badstore IP>
• Create Group: No
• Service Groups: default
3. Click Add.
By default, a new service is set to Passive mode when it is created. In Passive mode, traffic is
not blocked. Instead, attacks and malicious requests will be logged.
Barracuda Campus | 8
WAF01 - Barracuda Web Application Firewall - Foundation
When the service is added, it is created on port 443 on the front end. However, the
backend server has been created on port 80 by default. Because the backend is running on
port 443 on SSL, you must change the backend settings.
3. Click Edit next to the real server and make the following changes:
• Port: 443
• Server uses SSL: Yes
• Validate Server Certificate: No
The WAF will not be able to validate the certificate because the backend server uses a self-
signed certificate.
Barracuda Campus | 9
WAF01 - Barracuda Web Application Firewall - Foundation
Task 3 Clustering
Lab Instructions
This lab will guide you through the process of clustering two Web Application Firewalls.
Step-by-Step Guide
1 Configure a Cluster Shared Secret in WAFa
1. From the Management Client, open Firefox, navigate to http://wafa.cudau.org:8443 and log into
the WAF management interface.
2. Navigate to ADVANCED > High Availability and configure:
• Cluster Shared Secret: campussecret
3. Click Save.
Barracuda Campus | 10
WAF01 - Barracuda Web Application Firewall - Foundation
14. In the wafb tab, go to the ADVANCED > Secure Administration page and configure:
• HTTPS/SSL Access Only: Yes
Barracuda Campus | 11
WAF01 - Barracuda Web Application Firewall - Foundation
Step-by-Step Guide
1 Activate the service
1. In the Barracuda Web Application Firewall web interface, go to BASIC > Services.
2. Edit the Badstore service.
3. Change the Mode of the service to Active.
4. Click Save.
4 Launch an SQL attack against the active service and check the
Firewall logs
1. In Firefox_dev navigate to: http://www.bigfishinc.org
2. Click What’s New.
3. In the Quick Item search field, enter 1’OR 1=1-- (make sure you end your statement with a space!).
The query will fail, and the error message is cryptic and uninformative.
4. On the Admin Client, in the WAF web interface, go to the BASIC > Web Firewall Logs page.
5. The attack is listed with an action of DENIED.
Barracuda Campus | 12
WAF01 - Barracuda Web Application Firewall - Foundation
Note that Nikto now displays very little information about the Badstore site, compared to
the Nikto scan launched directly against the Badstore website earlier. You can easily
compare the two attempts by placing the two terminal instances next to each other.
6. In the WAF web interface, go to the BASIC > Web Firewall Logs page. Note the large number of
attacks launched by the Nikto scan - and blocked by the Barracuda Web Application Firewall.
7 Launch an SQL attack against the passive service and check the Web
Firewall logs.
1. In Firefox_dev navigate to: https://www.bigfishinc.org
2. Click What’s New.
3. In the Quick Item search field, enter 1’OR 1=1--
4. The query will be successful. Even encrypted services are vulnerable to web application attacks!
5. In the WAF web interface, go to BASIC > Services.
6. Edit the Badstore_ssl service and change the Mode from Passive to Active.
7. Click Save.
8. In the Badstore website, on the What’s New page, in the Quick Item Search field, enter 1’OR 1=1--
9. The attack is blocked and an uninformative error message is displayed because the service is now
active.
Barracuda Campus | 13
WAF01 - Barracuda Web Application Firewall - Foundation
Step-by-Step Guide
1 Create a Web Scraping Policy
1. From the Management Client, open Firefox, navigate to http://wafa.cudau.org:8443 and log into
the WAF management interface.
2. Navigate to Bot Mitigation > Bot Mitigation
3. At Web Scraping Policies, click Add Policy.
4. In the pop-up window, specify the following settings:
• Web Scraping Policy Name: Badstore
• Insert Hidden Links in the Response: yes
• Insert JavaScript in Response: Yes
• Detect Mouse Event: Yes
• Blacklisted Categories: select all fields
5. Click Save.
Barracuda Campus | 14
WAF01 - Barracuda Web Application Firewall - Foundation
○ Click Apply.
• Web Scraping Policy: badstore
• Credential Stuffing:
○ Username Parameter: email
○ Password Parameter: passwd
3. Click Save.
Barracuda Campus | 15
WAF01 - Barracuda Web Application Firewall - Foundation
Step-by-Step Guide
1 Configure an LDAP server
1. In the WAF web interface, go to ACCESS CONTROL > Authentication Services.
2. Under the LDAP tab, specify the following settings:
• Realm Name: cudau.org
• Server Name/IP: 10.1.1.10
• Server Port: 389
• Secure Connection Type: none
• Bind DN (Username): CN=admin,DC=CUDAU,DC=ORG
• Base DN: DC=CUDAU,DC=ORG
• Bind Password: secret
• Login Attribute: uid
• Group Name Attribute: gid
• Query For Group: Yes
3. Click Test LDAP. The LDAP test succeeds.
4. Click Add. The cudau.org service is added to the Existing Authentication Services table.
5. Go to ACCESS CONTROL > Authentication Policies.
6. Click Edit Authentication for the Badstore service. Specify the following settings:
• Change Status to On.
• From the Authentication Service list, select cudau.org.
• Click Save.
Barracuda Campus | 16
WAF01 - Barracuda Web Application Firewall - Foundation
2 Configure authorization
1. Go to ACCESS CONTROL > Authentication Policies.
2. Click Add Authorization for the Badstore service.
3. In the Policy Name field, enter Auth0
4. For Status, select On.
5. In the URL Match field, enter /cgi-bin/badstore.cgi
6. For Extended Match, click the Edit icon to display the Extended Match widget:
• Element Type: Parameter
• Element Name: Select the Others check box and enter action
• Operation: is equal to
• Value: admin
• Click Insert. The Header Expression field displays: Parameter action eq admin
• Click Apply.
7. Click Save.
3 Authentication
1. Open an RDP client and navigate to the Attack Client.
2. In Firefox_dev, navigate to: http://www.bigfishinc.org/cgi-bin/badstore.cgi?action=admin
3. You are prompted for a username and password. Use the following credentials to log in:
• user: tommy
• pw: CudaL3arner!
4. You will still not be able to view the Sales Report because your new user is not listed as an admin
on the Badstore site.
Barracuda Campus | 17
© Barracuda Networks Inc., Revision: 10/10/2022
The information contained within this document is confidential and proprietary to Barracuda Networks Inc. No portion of
this document may be copied, distributed, publicized or used for other than internal documentary purposes without the
written consent of an official representative of Barracuda Networks Inc. All specifications are subject to change without
notice. Barracuda Networks Inc. assumes no responsibility for any inaccuracies in this document. Barracuda Networks Inc.
reserves the right to change, modify, transfer, or otherwise revise this publication without notice.