In this lab scenario, you take on the role of a cloud security engineer, working for a business that has recently launched an Internet-facing web application. Unfortunately in the rush to launch, version one (MVP) of the web application has since been discovered to contain several OWASP classified vulnerabilities which need immediate action and remediation. The vulnerability types include SQL Injection, XSS (Cross-Site Scripting), SSRF (Server Side Request Forgery), and RCE (Remote Code Execution) via Command Injection - all of which must now be defended against quickly by yourself.

Being a cloud security engineer, you know that you can quickly deploy a first line of defense using AWS’s WAF (Web Application Firewall). In this lab, you will learn how to configure AWS WAF to detect and protect against each of the previously mentioned vulnerabilities. You will be instructed to perform before and after analysis of each vulnerability, ensuring that you understand the vulnerability itself, including how it is executed and what is breached/exposed as a result. Once the correct AWS WAF rule has been configured and deployed, you will confirm that the vulnerability in question has indeed been mitigated.

Note: To keep things simple and to quicken the lab launch time, all AWS networking and compute resources provisioned within this lab take place in the publicly zoned area of the default VPC, and as such the security posture is limited and should not be replicated in your own production environments.

Learning Objectives

Upon completion of this lab, you will be able to:

• Understand common attacks involving SQL Injection, XSS, SSRF, and Command Injection and how they are applied
• Configure AWS WAF to defend against common attacks involving SQL Injection, XSS, SSRF, and Command Injection 

Intended Audience

• Those interested in increasing the security posture of a deployed web app within AWS using the AWS WAF service.

Prerequisites

Familiarity with the following will be beneficial but is not required:

• Be comfortable with basic Linux command line administration

Lab Environment

This lab will start with the following AWS resources provisioned automatically for you:

• 2 x EC2 instance
  • ide.cloudacademy.platform.instance - provides a web-based IDE with an integrated terminal
  • hacker.cloudacademy.platform.instance - used to apply various attacks against the insecure web app (to be deployed using Terraform)
• 1 x ALB
  • Listener (port 80)
    • Web Frontend Forwarding Rule (forwards to Web Frontend Target Group)
    • API Forwarding Rule (forwards to API Target Group)
  • Web Frontend Target Group (forwards to port 80)
  • API Target Group (forwards to port 8080)

To achieve the lab end state, you will be walked through the process of:

• Using your local workstation browser to remotely connect to the ide.cloudacademy.platform.instance
• Using the web-based IDE and integrated terminal, deploy the insecure web app using Terraform
• Examine, explore and apply different attacks (SQL Injection, XSS, SSRF, and Command Injection)
• Configure and apply AWS WAF to defend against the attacks previously executed

Resources

This lab references the following GitHub repos:

• https://github.com/cloudacademy/insecure-webapp-infra
• https://github.com/cloudacademy/insecure-webapp

Updates

August 12th, 2022 - Updated student IAM permissions for creating Web ACLs in the console

August 19th, 2022 - Improved source code in the insecure web app repo