Community

Blog Events Webinars Tutorials Forum
  1. Blog
  2. Events
  3. Webinars
  4. Tutorials
  5. Forum
Create Account
×
Community Blog Test the Validity of Web Application Firewall on Alibaba Cloud

Test the Validity of Web Application Firewall on Alibaba Cloud

The article provides a step-by-step guide to launching attacks on a website service to test the effectiveness of WAF.

When implementing various security services provided by public cloud services, you may have the question: Can I really prevent security attacks from the outside?

In this article, we will use Alibaba Cloud Web Application Firewall (WAF) to verify security. WAF can identify and block web attacks and malicious web requests in real-time. We will launch attacks on the website service to test whether Alibaba Cloud WAF can prevent them. The following section will describe the steps.

1. Configuration Overview

The configuration steps are simple. WAF is placed in front of a web server to prevent the exposed web server. In this example, we will use an Elastic Compute Service (ECS) server. All access to the web server will be verified using WAF. The fully qualified domain name (FQDN) of the web server and the CNAME of WAF are registered in Domain Name System (DNS).

1

The web server has a global IP address. As a result, the web server can check accesses that are not verified by using WAF.

Note: The following section describes the definition of IP address, CNAME, and FQDN:

  • FQDN of the web server: URL to be accessed by the user. Use your FQDN.
  • CNAME of WAF: the CNAME of the WAF instance. Set the FQDN of the web server to CNAME.
  • Global IP address of the web server: the global IP of the web server. Set the global IP address to the source server. The source server is the backend server.

2. Build a Web Server

In this example, we will use an Alibaba Cloud Elastic Compute Service (ECS) server. The operating system of the ECS server is CentOS.

2.1 Run the following commands to install the Apache HTTP server

# yum -y update
# yum -y install httpd

2.2 Run the following commands to create an encryption certificate

# yum -y install certbot
# systemctl enable httpd
# systemctl start httpd
# certbot certonly --webroot -w /var/www/html -d <Web server FQDN>

Note: Resolve DNS records before you create an encryption certificate.

Run the following commands to create a certificate:

/etc/letsencrypt/live/<Web server FQDN>/fullchain.pem
/etc/letsencrypt/live/<Web server FQDN>/privkey.pem

2.3 Run the following command to install SSL

# yum -y install mod_ssl

2.4 Run the following command to move the certificate

# vi /etc/httpd/conf.d/ssl.conf

Run the vi commands to add the following files:

SSLCertificateFile /etc/letsencrypt/live/<Web server FQDN>/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<Web server FQDN>/privkey.pem

2.5 Run the following command to restart the Apache HTTP server

# systemctl restart httpd

3. Launch Attacks

3.1 Run the following command to install PHP

# yum install �Cy php

3.2 Run the following commands to launch attacks

# cd /var/www/html/

# vi index.html

Using the vi command to create HTML source code.

<!DOCTYPE html>
<html lang="ja">
<head>
<meta charset="utf-8">
<title> Getting started with HTML: Create a text box</title>
</head>
<body>
<form action="//sbc-nextcloud.sbcicp1.net/index.php" method="post">
        <p> Username:<br>
        <input type="text" name="name"></p>
        <p><input type="button" value="Check" id="button2"></p>
</form>
</body>
</html>
# vi index.php

Using the vi command to create PHP source code.

<?php

foreach (getallheaders() as $name => $value) {
    echo "$name: $value\n";
}

?>

4. Enable Alibaba Cloud WAF

4.1 Configure the WAF

2
3

4.2 Check whether WAF is used for access

Access https://<Web Server FQDN>/index.php to check the access results.

If the configuration in the following figure exists, WAF is used for access.

4

5. Confirm the Effect of WAF Effect

We will launch attacks by tampering with the URL parameters while WAF is enabled.

The website can be accessed normally if the URL parameters are not tampered with.

However, after launching attacks, the website will become inaccessible, demonstrating the effectiveness of WAF.

To launch attacks, please tamper with the following URL parameter:

https://<Web server FQDN>/index.html?q=SELECT id,pass FROM login_user WHERE id='1' or '1' = '1'-- AND pass=";

The following figure shows that the access request is denied by WAF.

5

Next, we will launch attacks with WAF disabled.

To do so, please tamper with the following URL parameter and use a global IP address if you have not registered the CNAME.

https://8.209.255.234/index.html?q=SELECT id,pass FROM login_user WHERE id='1' or '1' = '1'-- AND pass=";

The following figure shows the page displayed when accessing an ECS server without WAF.

6

6. Conclusion

In this example, you can check whether Alibaba Cloud WAF can prevent web servers from malicious attacks. The biggest benefit of Alibaba Cloud WAF is that you can use WAF not only in Alibaba Cloud servers but also web servers of other cloud providers.

This article is a translated piece of work from SoftBank: https://www.softbank.jp/biz/blog/cloud-technology/articles/202208/alibaba-cloud-waf/

Disclaimer: The views expressed herein are for reference only and don't necessarily represent the official views of Alibaba Cloud.

WAF Server Security Cloud Security Web Application Firewall Data Visualization Tutorials Web Server Security Attacks
0 1 0
Share on

Read next post:

Deploy TiDB on Alibaba Cloud Serverless Kubernetes (ASK)

H Ohara

12 posts | 0 followers

You may also like

Comments

H Ohara

12 posts | 0 followers

Related Products

More Posts by H Ohara

See All