Listen to this Post
Hack the OWASP Juice Shop Application and Protect It with AWS WAF (Part 2)
AWS WAF (Web Application Firewall) is a powerful security service that helps protect web applications from common exploits like SQL injections (SQLi) and Cross-Site Scripting (XSS). In this article, we explore how AWS WAF can be used to secure the OWASP Juice Shop, a deliberately vulnerable web application designed for security training.
You Should Know:
- Setting Up AWS WAF for SQL Injection Protection
AWS WAF allows you to create rules that block malicious SQL queries. Below is an example of a SQL Injection match condition using AWS WAF:
{
"Name": "SqlInjectionRule",
"Priority": 1,
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "SqlInjectionRule"
},
"Statement": {
"SqliMatchStatement": {
"FieldToMatch": {
"QueryString": {},
"Body": {},
"Headers": {
"MatchPattern": {
"All": {}
},
"MatchScope": "ALL"
}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "URL_DECODE"
}
]
}
}
}
2. Mitigating XSS Attacks with AWS WAF
XSS attacks inject malicious scripts into web pages. AWS WAF can detect and block such attempts with the following rule:
{
"Name": "XSSProtectionRule",
"Priority": 2,
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "XSSProtectionRule"
},
"Statement": {
"XssMatchStatement": {
"FieldToMatch": {
"QueryString": {},
"Body": {},
"Headers": {
"MatchPattern": {
"All": {}
},
"MatchScope": "ALL"
}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "HTML_ENTITY_DECODE"
}
]
}
}
}
3. Deploying AWS WAF with Terraform
Automate AWS WAF deployment using Terraform:
resource "aws_wafv2_web_acl" "juice_shop_protection" {
name = "juice-shop-waf"
scope = "REGIONAL"
description = "WAF for OWASP Juice Shop"
default_action {
allow {}
}
rule {
name = "SQLi-Rule"
priority = 1
action {
block {}
}
statement {
sqli_match_statement {
field_to_match {
query_string {}
body {}
}
text_transformation {
priority = 0
type = "URL_DECODE"
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "SQLiRule"
sampled_requests_enabled = true
}
}
rule {
name = "XSS-Rule"
priority = 2
action {
block {}
}
statement {
xss_match_statement {
field_to_match {
query_string {}
body {}
}
text_transformation {
priority = 0
type = "HTML_ENTITY_DECODE"
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "XSSRule"
sampled_requests_enabled = true
}
}
}
4. Testing Security with OWASP Juice Shop
Use curl to test SQLi and XSS attempts:
Test SQL Injection
curl -X POST "http://juice-shop.example.com/login" --data "email=' OR 1=1--&password=test"
Test XSS
curl -X GET "http://juice-shop.example.com/search?q=<script>alert('XSS')</script>"
5. Monitoring AWS WAF Logs
Check blocked requests in AWS CloudWatch:
aws logs filter-log-events --log-group-name "aws-waf-logs-juice-shop" --filter-pattern '{ ($.action = "BLOCK") }'
What Undercode Say
AWS WAF is a must-have for securing web applications against SQLi and XSS. By leveraging automated deployment (Terraform), custom rule sets, and real-time monitoring (CloudWatch), you can significantly reduce attack surfaces.
For further reading:
Expected Output:
A secured web application with AWS WAF blocking SQLi and XSS attempts, monitored via CloudWatch logs.
Verify WAF rules aws wafv2 get-web-acl --name juice-shop-waf --scope REGIONAL --id YOUR_WEB_ACL_ID
References:
Reported By: Oleksii Bebych – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
