Web ACLs and Managed Rules

Introduction

Web ACLs

A web ACL (Web Access Control List) is the core resource in an AWS WAF deployment. It contains rules that are evaluated for each request that it receives. A web ACL is associated to your web application via either an Amazon CloudFront distribution, AWS API Gateway API or an AWS Application Load Balancer.

This workshop uses the latest version of AWS WAF. Make sure you do not use WAF Classic.

Managed Rules

The quickest way to get started with WAF is to deploy an AWS Managed Rule Group for AWS WAF to your WebACL.

Managed Rule Groups are a set of rules, created and maintained by AWS or third-parties on the AWS Marketplace. These rules provide protections against common types of attacks, or are intended for particular application types.

Each managed rule group protects against a set of common attacks, such as SQL or Command Line attacks.

AWS provide a selection of managed rule groups. Three examples are the Amazon IP Reputation list, Known Bad Inputs and Core rule set.
There are other rule groups available to use

Example of AWS Managed Rules

Challenge

Part A

You are the sole developer for the start up Juice Shop. Your website is a simple web application backed by a SQL Database. For some reason, a group of Milkshake bandits have started attacking your site!
Luckily, you recently attended a workshop on AWS WAF. You decide to implement your own WAF to protect your site.

  1. Create a web ACL in the WAF console.

    • Name the web ACL waf-workshop-juice-shop
    • Leave the CloudWatch metrics name as the default
    • The Resource Type is CloudFront Distribution
  1. Associate the web ACL with the CloudFront distribution for your site.

Part A Answer

Select to see the answer

Part B

You don’t have much time, so you decide to deploy two AWS Managed Rule groups to your WebACL. This will protect your website from the common attacks the milkshake bandits are using.

Add two managed rule groups to your WebACL.

  1. Add the Core Rule Set which will cover a wide range of vulnerabilities common to web applications.
  2. Add the SQL database which will provide rules to protect against exploits of SQL databases, such as SQL injection.

Test Case

Test your new rules with the commands below.
Make sure the JUICESHOP_URL variable to contains the URL for your Juice Shop deployment.

export JUICESHOP_URL=<Your Juice Shop URL>
# This imitates a Cross Site Scripting attack
# This request should be blocked.
curl -X POST  $JUICESHOP_URL -F "user='<script><alert>Hello></alert></script>'"
# This imitates a SQL Injection attack
# This request should be blocked.
curl -X POST $JUICESHOP_URL -F "user='AND 1=1;"

If a request is blocked, you will receive a HTML response stating the request was forbidden. Here’s an snippet of what to expect

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
    <title>ERROR: The request could not be satisfied</title>
  </head>
  <body>
    <h1>403 ERROR</h1>
    <!-- Omitted -->
  </body>
</html>

If you receive a response like below, then the request wasn’t blocked by WAF.

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8" />
    <title>OWASP Juice Shop</title>
    // Omitted for brevity
  </head>
</html>

In this case, something has gone wrong. Double check the following:

  • Is your web ACL associated with the CloudFront distribution?

    • The CloudFront distribution will not be protected if the web ACL is not associated.
  • Does your web ACL contain two active rules, the Core Rule Set and Sql database?

    • If the managed rules are not active, then no rules will exist in the web ACL to block the request.

Part B Answer

Select to see the answer

Conclusion

Well done on deploying your first rules to your Web ACL. You’ve stopped the attacks for now. Hopefully that is the end of it.

This section introduced AWS Managed Rules for WAF. Managed Rule Groups allow you to quickly protect your application from a variety of common attacks and are available from AWS and AWS Marketplace sellers.