gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-29 14:13:20 -08:00
Code Issues Packages Projects Releases Wiki Activity

Add content from: Skimming Credentials with Azure's Front Door WAF

Browse Source 
- Remove searchindex.js (auto-generated file)
This commit is contained in:
HackTricks News Bot
2025-10-09 18:29:08 +00:00
parent 9df8a4ac92
commit 123b37d1f3
18 changed files with 110 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
src/pentesting-cloud/azure-security/az-services/az-front-door.md
View File

@@ -1,4 +1,4 @@
# Az - File Shares
# Az - Front Door
{{#include ../../../banners/hacktricks-training.md}}
@@ -10,9 +10,83 @@ To bypass this rule automated tools can be used that **brute-force IP addresses*
This is mentioned in the [Microsoft documentation](https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-configure-ip-restriction).
---
## Credential Skimming via WAF Custom Rules + Log Analytics
Abuse Azure Front Door (AFD) WAF Custom Rules in combination with Log Analytics to capture cleartext credentials (or other secrets) traversing the WAF. This is not a CVE; its misuse of legitimate features by anyone who can modify the WAF policy and read its logs.
Key behavior enabling this:
- AFD WAF Custom Rules can match on request elements including headers and POST parameters.
- When a Custom Rule uses the action Log traffic only, evaluation continues and traffic proceeds (no short-circuit), keeping the flow normal/stealthy.
- AFD writes verbose diagnostics to Log Analytics under Category FrontDoorWebApplicationFirewallLog. Matched payload details are included in details_matches_s along with the rule name in ruleName_s.
### End-to-end workflow
1. Identify target POST parameters
- Inspect the login form and note parameter names (e.g., username, password).
2. Enable diagnostics to Log Analytics
- In your Front Door profile > Monitoring > Diagnostic settings, send logs to a Log Analytics workspace.
- At minimum, enable the category: FrontDoorWebApplicationFirewallLog.
3. Create a malicious Custom Rule
- Front Door WAF Policy > Custom rules > New rule:
- Name: innocuous name, e.g., PasswordCapture
- Priority: low number (e.g., 5) so it evaluates early
- Match: POST arguments username and password with Operator = Any (match any value)
- Action: Log traffic only
4. Generate events
```bash
curl -i -X POST https://example.com/login \
-H "Content-Type: application/x-www-form-urlencoded" \
--data "username=alice&password=S3cret!"
```
5. Extract credentials from Log Analytics (KQL)
```kusto
AzureDiagnostics
| where Category == "FrontDoorWebApplicationFirewallLog"
| where ruleName_s == "PasswordCapture"
| project TimeGenerated, ruleName_s, details_matches_s
| order by TimeGenerated desc
```
Useful parsing (optional):
```kusto
AzureDiagnostics
| where Category == "FrontDoorWebApplicationFirewallLog" and ruleName_s == "PasswordCapture"
| extend m = parse_json(details_matches_s)
| mv-expand match = m.matches
| project TimeGenerated, ruleName_s, match.matchVariableName, match.matchVariableValue
| order by TimeGenerated desc
```
The matched values appear in details_matches_s and include the cleartext values that matched your rule.
### Why Front Door WAF and not Application Gateway WAF?
- Application Gateway WAF custom-rule logs dont include the offending POST/header values the same way; AFD WAF diagnostics include matched content in details, enabling credential capture.
### Stealth and variants
- Set Action to Log traffic only to avoid breaking requests and to keep other rules evaluating normally.
- Use a low numeric Priority so your logging rule evaluates before any later Block/Allow rules.
- You can target any sensitive names/locations, not only POST params (e.g., headers like Authorization or API tokens in body fields).
### Prerequisites
- An existing Azure Front Door instance.
- Permissions to edit the AFD WAF policy and read the associated Log Analytics workspace.
### Impact
- High risk: An operator with WAF/Log access can silently harvest secrets at the trusted TLS termination point.
## References
- [https://trustedsec.com/blog/azures-front-door-waf-wtf-ip-restriction-bypass](https://trustedsec.com/blog/azures-front-door-waf-wtf-ip-restriction-bypass)
- [Skimming Credentials with Azure's Front Door WAF](https://trustedsec.com/blog/skimming-credentials-with-azures-front-door-waf)
- [Azure WAF on Front Door monitoring and logging](https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-monitor)
{{#include ../../../banners/hacktricks-training.md}}