AWS

Implementing AWS WAF with ALB to block SQL Injection, Geo Location and Query string

Lab Details

  1. This lab walks you through the creation of an Application Load Balancer AWS Elastic Load Balancer automatically distributes incoming application traffic across two Amazon EC2 instances. Next we will create a set of rules to block the access from geo locations, SQL Injections and block certain Query String parameters.
  2. Duration: 120 minutes
  3. AWS Region: us-east-1 (N. Virginia)

Introduction

What is AWS WAF?

  • AWS WAF is a web application firewall that helps you to protect your web applications against common web exploits that might affect availability and compromise security.
  • AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns like SQL injection and cross-site scripting.
  • It only allows the request to reach the server based on the rules or patterns you define.
  • Users create their own rules and specify the conditions that AWS WAF searches for in incoming web requests.
  • The cost of WAF is only for what you use. 
  • The pricing is based on how many rules you deploy and how many web requests your application receives.
  • For example, you can deploy AWS WAF on Amazon CloudFront, Load Balancer or API Gateways.

What is Elastic Load Balancing?

  • ELB is a service that automatically distributes incoming application traffic and scales resources to meet traffic demands.
  • It helps in adjusting capacity according to incoming application and network traffic.
  • It can be enabled within a single availability zone or across multiple availability zones to maintain consistent application performance.
  • ELB offers features like:
  • Detection of unhealthy EC2 instances.
  • Spreading EC2 instances across healthy channels only.
  • Centralized management of SSL certificates.
  • Optional public key authentication.
  • Support for both IPv4 and IPv6.
  • ELB accepts incoming traffic from clients and routes requests to its registered targets.
  • When an unhealthy target or instance is detected, ELB stops routing traffic to it and resumes only when the instance is healthy again.
  • ELB monitors the health of its registered targets and ensures that the traffic is routed only to healthy instances.
  • ELB’s are configured to accept incoming traffic by specifying one or more listeners. A listener is a process that checks for connection requests.
  • Listeners are configured with a protocol and port number from the client to the ELB and vice-versa i.e., back from ELB to the client.
  • ELB supports the following :
  • Application Load Balancers
  • Network Load Balancers
  • Classic Load Balancers
  • Each load balancer is configured differently.
  • For Application and Network Load Balancers, you register targets in target groups and route traffic to target groups.
  • For Classic Load Balancers, you register instances with the load balancer.
  • AWS recommends users to work with Application Load Balancer to use multiple Availability Zones because if one availability zone fails, the load balancer can continue to route traffic to the next available one.
  • We can have our load balancer be either internal or internet-facing.
  • The nodes of an internet-facing load balancer have Public IP addresses, and the DNS name is publicly resolvable to the Public IP addresses of the nodes.
  • Due to the point above, internet-facing load balancers can route requests from clients over the Internet.
  • The nodes of an internal load balancer have only Private IP addresses, and the DNS name is publicly resolvable to the Private IP addresses of the nodes.
  • Due to the point above, internal load balancers can only route requests from clients with access to the VPC for the load balancer.
  • Both internet-facing and internal load balancers route requests to your targets using Private IP addresses.
  • Your targets do not need Public IP addresses to receive requests from an internal or an internet-facing load balancer.
  • You can create your own rules, depending on your requirements, whether to block or allow the incoming and outgoing request. You can also customise the string that appears in your web request.
  •  Blocking malicious requests
  • You can also configure rules in AWS WAF to identify and block web requests threats like SQL injections and cross-site scripting.
  • Tune your rules and monitor traffic                                
  • AWS WAF also allows us to review our rules and customize them to prevent new attacks from reaching the server.

Task Details

  1. Launching Lab Environment.
  2. Launch First EC2 Instance.
  3. Launch Second EC2 Instance.
  4. Create an Application Load Balancer and Target Group.
  5. Test Load Balancer DNS.
  6. Create AWS WAF Web ACL.
  7. Test Load Balancer DNS.

Architecture Diagram  

Lab Steps

Task 1: Launching Lab Environment

  1. Launch the lab environment by clicking on . Please wait until the lab environment is provisioned. It will take less than 2 minutes to provision the lab environment.
  2. Once the Lab is started, you will be provided with IAM user namePasswordAccessKey and Secret Access Key.
  3. Click on the , AWS Management Console will open in a new tab.
  4. In the AWS sign in page, the Account ID will be present by default.
    • Leave the Account ID as default. Do not remove or change the Account ID otherwise you cannot proceed with the lab.
  5. Copy and paste the IAM user name and Password into AWS Console. Click on Sign in to log into the AWS Console.?

Note : If you face any issues, please go through FAQs and Troubleshooting for Labs.

Task 2: Launch First EC2 Instance

  1. Make sure you are in the N.Virginia Region.
  2. Navigate to EC2 by clicking on the  menu in the top, then click on  in the  section.
  3. Navigate to  from the left side menu and click on  button.
  4. Choose an Amazon Machine Image (AMI): Search for Amazon Linux 2 AMI in the search box and click on the select button.
  1. Choose an Instance Type : Leave it to the default   and click on 
  2. Configure Instance Details:
    • Auto-assign Public IP : Select Enable
    • Scroll down to 
    • Under the User data: section, copy and paste the following script to create an HTML page served by an Apache httpd web server.

#!/bin/bash

sudo su

yum update -y

yum install httpd -y

systemctl start httpd

systemctl enable httpd

echo “<html><h1> Welcome to Whizlabs Server 1 </h1><html>” >> /var/www/html/index.html

  1. Leave the rest of the fields as default and click on .
  2. Add Storage : No need to change anything in this step, Click on 
  3. Add Tags : Click on 
    • Key    : Enter Name
    • Value : Enter MyEC2Server1
    •  Click on .
  4. Configure Security Group Create a new security group,
    • Security group name : Enter MyWebserverSG
    • Description : Enter My EC2 Security Group
    • To add SSH:
      • Choose Type: 
      • Source:  (From ALL IP addresses accessible).
    • For HTTP, click on ,
      • Choose Type: 
      • Source:  (From ALL IP addresses accessible).
    • For HTTPS, click on ,
      • Choose Type: 
      • Source:     (From ALL IP addresses accessible).
    • Click on .
  5. Review and Launch : Review all your select settings and click on the.
  6. Key Pair: Select Create a new key Pair  from the dropdown list and enter MyWebserverKey in the textbox.
  7. Click on  and store it on your local machine.
  8.  Click on  button.
  9. Your instances are now launching. Navigate to the EC2 instance page.

Task 3: Launch Second EC2 Instances

  1. Now again click on  button.
  2. Choose an Amazon Machine Image (AMI): Search for Amazon Linux 2 AMI in the search box and click on the select button.
  1. Choose an Instance Type : Leave it to the default   and click on 
  2. Configure Instance Details:
    • Auto-assign Public IP : Enable 
    • Scroll down to 
    • Under the User data: section, copy and paste the following script to create an HTML page served by Apache httpd web server:

#!/bin/bash  

sudo su

yum update -y

yum install httpd -y

systemctl start httpd

systemctl enable httpd

echo “<html><h1> Welcome to Whizlabs Server 2 </h1><html>” >> /var/www/html/index.html

  1. Leave the rest of the fields as default and click on .
  2. Add Storage : No need to change anything in this step, Click on  .
  3. Add Tags : Click on 
    • Key    : Enter Name
    • Value : Enter MyEC2Server2
    •  Click on .
  4. Configure Security Group : Select  Select an existing security group,
  • Select MyWebserverSG  Security Group from the list.
  • Click on .
  1. Review and Launch : Review all your select settings and click on .
  2. Key Pair: Select Choose an Existing Key pair from the dropdown list and then MyWebserverKey from the list.
  3. Check the  checkbox and  then click on .
  4. Your instances are now launching. Navigate to the EC2 instance page and wait until the status changes to the . It will usually take 1-2 minutes.

Task 4: Create an Application Load Balancer and Target Group

  1. Navigate to  from the left side menu under Load balancing.
  2. Click on the .
  3. Select Load Balancer Type: Under the , click on .
  4. The next five screens will require some custom configurations. If a field is not mentioned, leave it as default or empty.
    • Configure Load Balancer:
      • Name: Enter MyWAFLoadBalancer
      • Scheme: Select  (an Internet-facing load balancer routes requests from clients over the Internet to targets).
      • IP address type: IPv4
      • Listeners: 
        • Load Balancer Protocol : HTTP
        • Load Balancer Port  : 80
      • VPC : Select default VPC. (scroll down)
      • Availability zones: Select all available zones using the checkbox.
      • Tags: 
        • Key : Enter Name
        • Value : Enter MyWAFLoadBalancer
    • Click on the  button.
    • Configure Security Settings: No Changes needed, leave the warning on top. Then click on .
    • Configure Security Groups: Select Select an existing security group and choose MyWebserverSG (the Security Group already created during EC2 instances launch).

Note: You can also create a new Security Group with HTTP  port 80 open (0.0.0.0/0). 

  • Click on 
  1. Configure Routing: 
    • Target group: New Target Group
    • Target group name : Enter MyWAFTargetGroup
    • Leave other settings as default.
    • Under Health check settings : 
      • Path :Enter /index.html
    • Under Advanced health check settings:
      • Healthy threshold : 3
      • Unhealthy threshold: 2 (Default)
      • Timeout: 5 seconds (Default)
      • Interval: 6 seconds
      • Success codes: 200 (Default)
    • Click on 
  2. Register Targets:

We need to add both EC2 instances in the target group of this load balancer.

  • Under Instances, select the two EC2 instances (MyEC2Server1, MyEC2Server2) from the list.
  • Click on 
  • Both of the EC2 instances will be added under Registered Targets.
  • Next, click on  
  1. Review: Check your inputs and then click  
  2. You will now see the message Successfully created load balancer. Click on.
  3. Wait until your Application Load Balancer status becomes active.

Task 5: Test Load Balancer DNS

  1. Now navigate to the from the left side menu under Load balancing.
  2. Click on the MyWAFTargetGroup Target group name.
  1. Now select the  tab and wait till both the targets become healthy (Important).
  1. Now again navigate to  from the left side menu under Load balancing.
  2. Select the MyWAFLoadBalancer Load Balancer and copy the DNS name under  tab.
  1. Copy the DNS name of the  ELB and enter the address in the browser.
    • DNS Example: MyWAFLoadBalancer-2020171322.us-east-1.elb.amazonaws.com
  2. You should see the index.html page content of Web Server 1 or Web Server 2
  1. Now Refresh the page a few times.You will observe that the index pages change each time you refresh.
  • Note: The ELB will equally divide the incoming traffic to both servers in a Round Robin  manner.
  1. Test SQL Injection :
    • Along with the ELB DNS add the following URL parameter /product?item=securitynumber’+OR+1=1–
    • Syntax : http://<ELB DNS>/product?item=securitynumber’+OR+1=1–
    • Example : MyWAFLoadBalancer-2020171322.us-east-1.elb.amazonaws.com/product?item=securitynumber’+OR+1=1–
    • You will be able to see the below output.
  • Here the SQL Injection went inside the server and since we only have an index page, the server doesn’t know how to solve the URL that is why you got Not Found page.
  1. Test Query String Parameter : 
    • Along with the ELB DNS add the following URL parameter /?admin=123456
    • Syntax : http://<ELB DNS>/?admin=123456
    • Example : MyWAFLoadBalancer-2020171322.us-east-1.elb.amazonaws.com/?admin=123456
    • You will be able to see the below output.
  • Here also the Query string went inside the server and the server always passes the query string inside and it is resolved by the code that you write. Here the query string is passed and there is no code to resolve the this but it wont throw any error it just becames an unused value so, you got a response back.

Task 6: Create AWS WAF Web ACL

  1. Navigate to WAF by clicking on the  menu in the top, then click on  in the  section.
  2. On the left side menu, select and then click on  button.
  3. Describe web ACL and associate it to AWS resources :
    • Name : Enter MyWAFWebAcl
    • Description : Enter WAF for SQL Injection, Geo location and Query String parameters
    • CloudWatch metric name : Automatically selects the WAF name, so no changes required.
    • Resource type : Select Regional resources
    • Region : Select US East (N.Virginia) from the dropdown.
    • Associated AWS resources : 
      • Click on the  button.
      • Resource type : Select Application Load Balancer
      • Select MyWAFLoadBalancer Load balancer from the list.
  • Now click on the  button.
  • Click on the  button.
  1. Add rules and rule groups : 
    • Under Rules, click on  and then select .
      • Rule type : Select Rule builder
      • Name : Enter GeoLocationRestriction
      • Type : Select Regular type
      • If a request : Select 
      • Inspect : Select 
      • Country codes : Select <Your Country> In this example we select India-IN
      • Note : You can also select multiple countries also.
      • IP address to use to determine the country of origin : Select Source IP address
      • Under Then : Action Select Block.
      • Click on .
    • Here we are only allowing requests to come from India and all the requests that come from other countries will be blocked.
    • Under Rules, click on  and then select .
      • Rule type : Select Rule builder
      • Name : Enter QueryStringRestriction
      • Type : Select Regular type
      • If a request : Select 
      • Inspect : Select 
      • Match type : Select 
      • String to match : Enter admin
      • Text transformation : Leave as default.
      • Under Then : Action Select Block.
      • Click on .
    • Anytime in the request URL contains a query string as admin WAF will block that request.
    • Under Rules, click on  and then select .
      • It will take a few minutes to load the page. It lists all the rules which are managed by AWS.
      • Click on .
      • Scroll down to SQL database and enable the corresponding Add to web ACL button.
  • Scroll down to the end and click on .
  • Now you have 3 rules added.
  • Under Default web ACL action for requests that don’t match any rulesDefault action Select Allow.
  • Click on the  button.
  1. Set rule priority : 
    • No changes required, leave as default.
    • Note : You can move the rules based on your priority.
    • Click on the  button.
  2. Configure metrics : 
    • Leave it as default.
    • Click on the  button.
  3. Review and create web ACL : 
    • Review the configuration done, scroll to the end and click on  button.
  4. It will take a few seconds to create the Web ACL, so wait till its completed.

Task 7: Test Load Balancer DNS

  1. Now again navigate to  from the left side menu under Load balancing.
  2. Select the MyWAFLoadBalancer Load Balancer and copy the DNS name under  tab.
  1. Copy the DNS name of the  ELB and enter the address in the browser.
    • DNS Example: MyWAFLoadBalancer-2020171322.us-east-1.elb.amazonaws.com
  2. You should see the index.html page content of Web Server 1 or Web Server 2
  1. Now Refresh the page a few times.You will observe that the index pages change each time you refresh.
  • Note: The ELB will equally divide the incoming traffic to both servers in a Round Robin  manner.
  1. Test SQL Injection :
    • Along with the ELB DNS add the following URL parameter /product?item=securitynumber’+OR+1=1–
    • Syntax : http://<ELB DNS>/product?item=securitynumber’+OR+1=1–
    • Example : MyWAFLoadBalancer-2020171322.us-east-1.elb.amazonaws.com/product?item=securitynumber’+OR+1=1–
    • You will be able to see the below output.
  • Here the SQL Injection is blocked by WAF before it goes inside the server.
  1. Test Query String Parameter : 
    • Along with the ELB DNS add the following URL parameter /?admin=123456
    • Syntax : http://<ELB DNS>/?admin=123456
    • Example : MyWAFLoadBalancer-2020171322.us-east-1.elb.amazonaws.com/?admin=123456
    • You will be able to see the below output.
  • Here also the Query string which contains admin is blocked by WAF before it could go inside the server.

Task 8: Validation Test

  1. Once the lab steps are completed, please click on the  button on the right side panel.
  2. This will validate the resources in the AWS account and displays whether you have completed this lab successfully or not.
  3. Sample output : 

Completion and Conclusion

  1. You have successfully launched First EC2 Instance.
  2. You have successfully launched Second EC2 Instance.
  3. You have successfully created an Application Load Balancer and Target Group.
  4. You have successfully tested Load Balancer DNS.
  5. You have successfully created AWS WAF Web ACL.
  6. You have successfully tested Load Balancer DNS.

Delete AWS Resources

Delete an EC2 Instance

  1. Make sure you are in the US East (N. Virginia) Region. 
  2. Navigate to EC2 by clicking on the  menu in the top, then click on  under  section.
  3. Switch off the New EC2 experience button present on the left top of menu list. Click on button on the feedback prompt.      
  4. Now select the EC2 instance that you have created, click on the  and click on Instance State and click on the Terminate option.
  1. Click on Yes,Terminate button and your EC2 will start terminating.

Delete Elastic LoadBalancer and Target Group

  1. In the EC2 console, navigate to in the left-side panel.
  2. MyWAFLoadBalancer will be listed here.
  3. To delete the load balancer, need to perform the following actions:
    • Select the load balancer, 
    • Click on the Actions button,
    • select the Delete option.
  4. Confirm by clicking on the Yes, Delete button when a pop-up is shown.
  5. MyWAFLoadBalancer be deleted immediately.
  6. In the EC2 console, navigate to in the left-side panel.
  7. MyWAFTargetGroup will be listed here.
  8. To delete the target group, need to perform the following actions:
    • Select the target group, 
    • Click on the Actions button,
    • select the Delete option
  9. Now click on the  button to confirm deletion.
  10. MyWAFTargetGroup will be deleted immediately.

Delete Web Acl

  1. Navigate to WAF by clicking on the  menu in the top, then click on  in the  section.
  2. On the left side menu, select and then click on the Web ACL name that you created, MyWAFWebAcl.
  3. Select  tab, select the application load balancer and click on  button.
  4. In the textbox enter remove and click on  button.
  5. On the left side menu, select  and then select the radio button of the Web ACL that you created, MyWAFWebAcl.
  6. Click on the  button, In the textbox enter delete and click on  button.
  7. Now the WAF will be successfully deleted.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: