Skip to content

Latest commit

 

History

History
255 lines (190 loc) · 5.72 KB

GSP879.md

File metadata and controls

255 lines (190 loc) · 5.72 KB
Raw

GSP879 - Cloud Armor Preconfigured WAF Rule

Setup

  1. Set projectID

    gcloud config list project
export PROJECT_ID=$(gcloud config get-value project)
echo $PROJECT_ID
gcloud config set project $PROJECT_ID

Task 1. Create the VPC network

  1. Buat VPC Network

    gcloud compute networks create ca-lab-vpc --subnet-mode custom

  2. Buat subnet

    gcloud compute networks subnets create ca-lab-subnet \
    --network ca-lab-vpc --range 10.0.0.0/24 --region us-central1

  3. Buat firewall rule untuk vpc

    gcloud compute firewall-rules create allow-js-site --allow tcp:3000 --network ca-lab-vpc

  4. Buat health check firewall rule

    gcloud compute firewall-rules create allow-health-check \
--network=ca-lab-vpc \
--action=allow \
--direction=ingress \
--source-ranges=130.211.0.0/22,35.191.0.0/16 \
--target-tags=allow-healthcheck \
--rules=tcp

Task 2. Set up the test application

  1. Buat instance dari aplikasi yang vulnerable

    gcloud compute instances create-with-container owasp-juice-shop-app --container-image bkimminich/juice-shop \
 --network ca-lab-vpc \
 --subnet ca-lab-subnet \
 --private-network-ip=10.0.0.3 \
 --machine-type n1-standard-2 \
 --zone us-central1-a \
 --tags allow-healthcheck

  2. Buat instance group

    gcloud compute instance-groups unmanaged create juice-shop-group \
--zone=us-central1-a

  3. Add aplikasi ke instance group

    gcloud compute instance-groups unmanaged add-instances juice-shop-group \
--zone=us-central1-a \
--instances=owasp-juice-shop-app

  4. Set port

    gcloud compute instance-groups unmanaged set-named-ports \
juice-shop-group \
    --named-ports=http:3000 \
    --zone=us-central1-a

  5. Set load balancer health check

    gcloud compute health-checks create tcp tcp-port-3000 \
    --port 3000

  6. Set backend service

    gcloud compute backend-services create juice-shop-backend \
    --protocol HTTP \
    --port-name http \
    --health-checks tcp-port-3000 \
    --enable-logging \
    --global

  7. Add instance group ke backend service

     gcloud compute backend-services add-backend juice-shop-backend \
    --instance-group=juice-shop-group \
    --instance-group-zone=us-central1-a \
    --global

  8. Set URL map

    gcloud compute url-maps create juice-shop-loadbalancer \
    --default-service juice-shop-backend

  9. Set target proxy

    gcloud compute target-http-proxies create juice-shop-proxy \
    --url-map juice-shop-loadbalancer

  10. Set forwarding rule

    gcloud compute forwarding-rules create juice-shop-rule \
    --global \
    --target-http-proxy=juice-shop-proxy \
    --ports=80

  11. Cek status

    PUBLIC_SVC_IP="$(gcloud compute forwarding-rules describe juice-shop-rule  --global --format="value(IPAddress)")"
echo $PUBLIC_SVC_IP

Task 3. Demonstrate known vulnerabilities

  1. LFI

    curl -Ii http://$PUBLIC_SVC_IP/ftp

  2. RCE

    curl -Ii http://$PUBLIC_SVC_IP/ftp?doc=/bin/ls

Task 4. Define Cloud Armor WAF rules

Task 5. Review Cloud Armor Security rules

  1. Lihat preconfigured rules

    gcloud compute security-policies list-preconfigured-expression-sets

  2. Buat cloud armor security policy

    gcloud compute security-policies create block-with-modsec-crs \
 --description "Block with OWASP ModSecurity CRS"

  3. Update security policy

    gcloud compute security-policies rules update 2147483647 \
 --security-policy block-with-modsec-crs \
 --action "deny-403"

  4. Find public IP

    MY_IP=$(curl ifconfig.me)

  5. Add rule untuk allow ip

    gcloud compute security-policies rules create 10000 \
--security-policy block-with-modsec-crs  \
--description "allow traffic from my IP" \
--src-ip-ranges "$MY_IP/32" \
--action "allow"

  6. Add rule untuk block LFI

    gcloud compute security-policies rules create 9000 \
--security-policy block-with-modsec-crs  \
--description "block local file inclusion" \
 --expression "evaluatePreconfiguredExpr('lfi-stable')" \
--action deny-403

  7. Add rule untuk block RCE

    gcloud compute security-policies rules create 9001 \
--security-policy block-with-modsec-crs  \
--description "block rce attacks" \
 --expression "evaluatePreconfiguredExpr('rce-stable')" \
--action deny-403

  8. Block well known attacks

    gcloud compute security-policies rules create 9002 \
--security-policy block-with-modsec-crs  \
--description "block scanners" \
 --expression "evaluatePreconfiguredExpr('scannerdetection-stable')" \
--action deny-403

  9. Block protocol attacks

    gcloud compute security-policies rules create 9003 \
--security-policy block-with-modsec-crs  \
--description "block protocol attacks" \
 --expression "evaluatePreconfiguredExpr('protocolattack-stable')" \
--action deny-403

  10. Block session fixation

    gcloud compute security-policies rules create 9004 \
--security-policy block-with-modsec-crs \
--description "block session fixation attacks" \
 --expression "evaluatePreconfiguredExpr('sessionfixation-stable')" \
--action deny-403

  11. Add security policy ke backend service

    gcloud compute backend-services update juice-shop-backend \
--security-policy block-with-modsec-crs \
--global

Task 6. Observe Cloud Armor security policy logs