Leveraging AWS WAF to Defend an Insecure Web App

Lab Steps

lock
Logging in to the Amazon Web Services Console
lock
Provision AWS Web App Infrastructure
lock
Insecure Web App - Application Review
lock
Exercise 1: SQL Injection Vulnerability and WAF Defense
lock
Exercise 2: XSS Vulnerability and WAF Defense
lock
Exercise 3: SSRF Vulnerability and WAF Defense
lock
Exercise 4: RCE Vulnerability and WAF Defense

Ready for the real environment experience?

DifficultyAdvanced
Time Limit2h 30m
Students64
Ratings
5/5
starstarstarstarstar

Description

In this lab scenario, you take on the role of a cloud security engineer, working for a business that has recently launched an Internet-facing web application. Unfortunately in the rush to launch, version one (MVP) of the web application has since been discovered to contain several OWASP classified vulnerabilities which need immediate action and remediation. The vulnerability types include SQL Injection, XSS (Cross-Site Scripting), SSRF (Server Side Request Forgery), and RCE (Remote Code Execution) via Command Injection - all of which must now be defended against quickly by yourself.

Being a cloud security engineer, you know that you can quickly deploy a first line of defense using AWS’s WAF (Web Application Firewall). In this lab, you will learn how to configure AWS WAF to detect and protect against each of the previously mentioned vulnerabilities. You will be instructed to perform before and after analysis of each vulnerability, ensuring that you understand the vulnerability itself, including how it is executed and what is breached/exposed as a result. Once the correct AWS WAF rule has been configured and deployed, you will confirm that the vulnerability in question has indeed been mitigated.

Note: To keep things simple and to quicken the lab launch time, all AWS networking and compute resources provisioned within this lab take place in the publicly zoned area of the default VPC, and as such the security posture is limited and should not be replicated in your own production environments.

Learning Objectives

Upon completion of this lab, you will be able to:

  • Understand common attacks involving SQL Injection, XSS, SSRF, and Command Injection and how they are applied
  • Configure AWS WAF to defend against common attacks involving SQL Injection, XSS, SSRF, and Command Injection 

Intended Audience

  • Those interested in increasing the security posture of a deployed web app within AWS using the AWS WAF service.

Prerequisites

Familiarity with the following will be beneficial but is not required:

  • Be comfortable with basic Linux command line administration

Lab Environment

This lab will start with the following AWS resources provisioned automatically for you:

  • 2 x EC2 instance
    • ide.cloudacademy.platform.instance - provides a web-based IDE with an integrated terminal
    • hacker.cloudacademy.platform.instance - used to apply various attacks against the insecure web app (to be deployed using Terraform)
  • 1 x ALB
    • Listener (port 80)
      • Web Frontend Forwarding Rule (forwards to Web Frontend Target Group)
      • API Forwarding Rule (forwards to API Target Group)
    • Web Frontend Target Group (forwards to port 80)
    • API Target Group (forwards to port 8080)

To achieve the lab end state, you will be walked through the process of:

  • Using your local workstation browser to remotely connect to the ide.cloudacademy.platform.instance
  • Using the web-based IDE and integrated terminal, deploy the insecure web app using Terraform
  • Examine, explore and apply different attacks (SQL Injection, XSS, SSRF, and Command Injection)
  • Configure and apply AWS WAF to defend against the attacks previously executed

Updates

August 12th, 2022 - Updated student IAM permissions for creating Web ACLs in the console

Environment before
PREVIEW
arrow_forward
Environment after
PREVIEW
About the Author
Students100342
Labs55
Courses113
Learning paths92

Jeremy is a Content Lead Architect and DevOps SME here at Cloud Academy where he specializes in developing DevOps technical training documentation.

He has a strong background in software engineering, and has been coding with various languages, frameworks, and systems for the past 25+ years. In recent times, Jeremy has been focused on DevOps, Cloud (AWS, GCP, Azure), Security, Kubernetes, and Machine Learning.

Jeremy holds professional certifications for AWS, GCP, Terraform, Kubernetes (CKA, CKAD, CKS).