app service AZSK Azure express-validator expressJS HelmetJS NodeJS Web Application Firewall web apps

Defence in depth: Securing Azure App Service with Azure Front Door WAF, NodeJS runtime Security enhancements tested with OWASP ZAP

I’ve been recently playing around with Azure Front Door, and it’s WAF Policies. Here are some notes I decided to share about the my experiences mainly about securing the app from invalid and malicious inputs using Azure WAF and ExpressJS middlewares

Microsoft Azure WAF and NodeJS input checking notes

Security Checklist example

This is just a short example of items that are covered in this deployment.

  • Items like pipeline security, tooling for code security, security center alerts, connecting to table storage and key vault securely, Azure Table Storage input hashing etc are enough for few more blogs 🙂
  • This blog could’ve been much longer, but I wanted keep relatively straight to point, and narrow it down to securing the app from malicious inputs.
ThreatMitigation
OWASP top 10 mappingAzure Front Door with WAF in prevention mode,
Runtime & code security
Azure Architecture,
Logs
testing with OWASP ZAP Zed Attack Proxy
Business logic code security
input validation  
express-validator (express-validator.github.io)
Helmet (helmetjs.github.io)
Security Misconfigurations in Cloud Service (overlaps partially with OWASP Top10)Azure Secure Devops Kit, Azure Security Benchmark,
CIS (not covered in this blog) – And generally Azure Security Resources
App service ’Access Restrictions’ rule, App Service Logs
Azure Front Door Spoofing Prevention
Documentation (MD files, not covered in this blog)

Security Testing based on the checklist

WAF basic ruleset

  • Some exclusion rules also apply to allow certain characters in payloads
Basic WAF policy

Testing Azure Front Door FDID can’t be spoofed and App Service limits traffic to Azure Front Door

Besides limiting the traffic towards the web-app to be only allowed from Globally Azure Front Doors (Access Restrictions), its important to ensure, that the immutable identification (x-azure-fdid) security header is checked in the application middleware.

https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq#how-do-i-lock-down-the-access-to-my-backend-to-only-azure-front-door
  • App Service supports listing Azure Front Door as allowed source in ’Access Restrictions’
  • Azure Front Door sends a header identifying the Azure Front Door Instance configured. This header is immutable, and cant be manipulated directly when Front Door Connects directly to the app service
    • This is based on assumption that access restrictions are placed on L7 ’Access Restrictions’ rules, and the NodeJS implements header checking for the particular value
  • Ensured that user cant supply FDID header from client-side, and if attacker deploys their own Azure Front Door against your app service instance
When wrong front door connects the app service
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-http-headers-protocol#front-door-to-backend

Access Restrictions

  • Front door backend
  • Limiting admin and deployment access to KUDU SCM endpoints

ExpressJS middlware checking for the header used when the platform is app service.

  • The immutable value ’x-azure-fdid’: ’60ab831a-86db-4aea-93c4-4b13a3adc22a’,
module.exports= function (req, res, next) {
console.log('fdid check',req.headers)

if (req.headers['x-azure-fdid'] !== "60ab831a-86db-4aea-93c4-4b13a3adc22a") return next('invalid FrontDoor')
    next()
}

// or

function CheckAzureFrontDoor(fdid) { 
    return function (req, res, next) {
        console.log('fdid check',req.headers)
        
        if (req.headers['x-azure-fdid'] !== fdid) return next('invalid FrontDoor')
            next()
        }
}
    
module.exports={CheckAzureFrontDoor}

Owasp ZAP listing of tested methods

Recommended reading

https://www.zaproxy.org/

Example of tests run against the App Service protected by front door

Express validation and authorization middlewares

  • Express middleware working to block request that are not in WAF’s scope

After Azure Front Door WAF, there is additional layer in the application itself.

  • The NodeJS app uses additional validation in the API’s it provides for mainly for following reasons:
  1. Validate tokens, and bind tokens user context to limit searches into Azure Table Storage
  2. Tell users about whats expected in the input, in case of invalid input
  3. Clean up input used for Azure Graph API and Azure Table Storage
  4. Attempts to take care of certain inputs that don’t validate in the middleware but we’re passed from the WAF
checkBodyAndQuery('user').trim().isEmail()
checkBodyAndQuery('key').trim().isNumeric()
  • User provided keys are checked to match the userObjectID in validated token, and database entry before key can be claimed.
    • usr variable is only available in the back-end, based on the incoming token
var result = await findEntry(usr, await genpassHSH(req.query.key).catch((error) => {
            r = error
            console.log('errpr',error)
        })

        if (!result) {
            return res.render('display',{
                title: process.env.title,
                userview: true,
                error: r
            })
        }

App Service Logs

Azure Front Door WAF Logs

  • WAF logs in Azure Front Door

Ending words

Azure App Service, and surrounding Azure Ecosystem offers full toolkit to monitor, and secure solutions for the whole lifecycle of any web application pretty nicely.

As stated before: This blog could’ve been much longer, but I wanted keep relatively straight to point, and narrow it down to securing the app from malicious inputs

Some further reading:

Azure Security Center Exhibits from the field – Detecting SQL Injection with Advanced Data Security

Azure Security Center – Exhibits from the field

TOP3 Picks from Azure Security Center Standard

App Service – Key Vault Vnet Service Endpoint access options explored + NodeJS runtime examples

Br Joosua!

0 comments on “Defence in depth: Securing Azure App Service with Azure Front Door WAF, NodeJS runtime Security enhancements tested with OWASP ZAP

Vastaa

Täytä tietosi alle tai klikkaa kuvaketta kirjautuaksesi sisään:

WordPress.com-logo

Olet kommentoimassa WordPress.com -tilin nimissä. Log Out /  Muuta )

Google photo

Olet kommentoimassa Google -tilin nimissä. Log Out /  Muuta )

Twitter-kuva

Olet kommentoimassa Twitter -tilin nimissä. Log Out /  Muuta )

Facebook-kuva

Olet kommentoimassa Facebook -tilin nimissä. Log Out /  Muuta )

Muodostetaan yhteyttä palveluun %s

%d bloggaajaa tykkää tästä: