Exploit Public-Facing Application

by

WAF Alert

Alert Source: AWS WAF / Cloudflare WAF
Alert Time: 2023-10-27 08:45:22 UTC
Severity: Critical
Application: Public Customer Portal (customer.ourcompany.com)
Alert Title: “SQL Injection Attempt Bypassing Authentication”
Alert ID: WAF-ALERT-45678

Alert Details:

WAF Rule: SQLi_Bypass_Attempt_1
Source IP: 45.134.225[.]67 (DigitalOcean, Netherlands)
HTTP Method: POST
Target URL: /api/v1/auth/login
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Request Headers:
- Content-Type: application/json
- X-Forwarded-For: 45.134.225[.]67

Request Body/Payload:
{
  "username": "admin' OR '1'='1'--",
  "password": "anything",
  "remember": "true"
}

Rule Action: BLOCKED
HTTP Response: 403 Forbidden

Additional Context:
- This IP made 247 requests in past 5 minutes with varying SQLi payloads
- Targeted endpoints: /login, /api/v1/auth/login, /admin/login
- Previous alerts: XSS attempts, path traversal

MITRE ATT&CK Mapping:

  • T1190: Exploit Public-Facing Application
  • T1110: Brute Force
  • T1588: Obtain Capabilities

2. Investigation Process & Tools Used

StepActionTools UsedFindings & Actions
1. Alert ValidationVerify alert legitimacy, check if request was actually blocked.AWS WAF ConsoleCloudflare DashboardConfirmed request blocked at WAF layer. No traffic reached application servers.
2. Source AnalysisInvestigate source IP, geolocation, reputation.AbuseIPDBVirusTotalGreyNoiseIP 45.134.225[.]67: Known malicious, 87 reports on AbuseIPDB, associated with “SQLi_Scanner” in GreyNoise.
3. Payload AnalysisAnalyze the SQL injection technique and attempt to bypass.WAF LogsManual AnalysisClassic SQL injection: admin' OR '1'='1'--. Attempting to bypass authentication.
4. Application Logs ReviewCheck if any similar patterns got through previously.ELK Stack (Logstash)Splunk SIEMSearched for similar patterns in last 7 days. Found 3 successful logins with suspicious timing but different IPs.
5. Vulnerability AssessmentCheck if application is actually vulnerable to this attack.Burp SuiteOWASP ZAPNessusApplication uses parameterized queries – not vulnerable to SQLi. However, found API endpoint rate limiting misconfigured.
6. Scope AssessmentDetermine if other apps/servers targeted, check for lateral attempts.WAF AnalyticsNetwork Firewall LogsSame IP scanned: port 22 (SSH), 3389 (RDP) on same server. All blocked by network ACLs.
7. Threat HuntingProactive search for successful compromises or data exfiltration.EDR (CrowdStrike)Database Audit LogsVPC Flow LogsNo evidence of compromise. Database logs show normal activity pattern.
8. ContainmentBlock source, implement additional protections.WAF Rule UpdatesNetwork FirewallCloudflare Rulesets1. Added IP to WAF permanent blocklist.
2. Created custom rate limiting rule for /auth endpoints.
3. Blocked IP at network firewall.
9. RemediationFix vulnerabilities, harden application.GitHub Actions (CI/CD)TerraformSecurity Scanning1. Fixed rate limiting configuration via Terraform.
2. Added additional WAF rules for SQLi patterns.
3. Implemented IP reputation blocking.
10. MonitoringEnhance detection capabilities.AWS CloudWatchSIEM AlertsThreat Intel FeedsCreated new correlation rule: “Multiple SQLi attempts from same IP within 5 minutes.”

3. Detailed Jira Comment

Jira Ticket: SOC-2023-0894
Summary: SQL Injection Attempt on Customer Portal Authentication Endpoint
Status: Resolved
Resolution: Malicious - Blocked & Remediated
Priority: P1 - Critical
Labels: waf-alertsql-injectionpublic-facing-appauthentication-bypass
Affected Component: Customer Portal (customer.ourcompany.com)

Comment by [Walter White] – :

INCIDENT ANALYSIS REPORT: EXPLOIT PUBLIC-FACING APPLICATION

1. Executive Summary:
On 2023-10-27 at 08:45 UTC, AWS WAF detected and blocked a SQL injection attempt targeting the customer portal authentication endpoint (/api/v1/auth/login). The attack originated from IP 45.134.225[.]67 (Netherlands) and attempted to bypass authentication using classic SQL injection techniques. The WAF successfully blocked all requests, and no application or database compromise occurred. Investigation revealed a rate limiting misconfiguration that has been remediated.

2. Timeline:

08:40 - Scanning begins: IP 45.134.225[.]67 starts reconnaissance
08:42 - First SQLi attempt detected (blocked by WAF)
08:45 - Critical alert: SQLi authentication bypass attempt
08:47 - SOC analyst reviews alert, begins investigation
09:00 - Threat intelligence enrichment confirms malicious IP
09:15 - Application logs reviewed, no successful bypass found
09:30 - Vulnerability assessment initiated
10:00 - Rate limiting misconfiguration identified and fixed
10:30 - Additional WAF rules deployed
11:00 - Incident closure process begins

3. Technical Analysis:

  • Attack Vector: SQL Injection via authentication endpoint with payload: admin' OR '1'='1'--
  • Tool Indication: Based on request patterns and User-Agent, likely automated scanner (sqlmap or similar).
  • Source IP Analysis:
    • IP: 45.134.225[.]67 (DigitalOcean, Amsterdam)
    • AbuseIPDB Score: 98/100 (87 reports for SQLi, XSS, brute force)
    • GreyNoise Classification: “SQLi_Scanner” – benign but noisy
    • Historical Context: First seen targeting our infrastructure 3 days ago
  • Application Security Assessment:
    • SQL Injection Vulnerability: FALSE – Application uses parameterized queries (verified via code review).
    • Rate Limiting Issue: TRUE – /api/v1/auth/login endpoint had per-IP limit of 1000 requests/minute instead of 10.
    • Logging Coverage: Adequate – All authentication attempts logged with timestamps and IPs.
  • Attack Pattern Analysis:
    The attacker employed a standard methodology:
    1. Reconnaissance: Identify authentication endpoints
    2. Automated testing: SQLi payload variations
    3. Evasion attempts: Changing User-Agents, adding headers

4. Scope & Impact Assessment:

  • Compromised Systems: None
  • Data Accessed: No unauthorized access
  • Availability Impact: Minimal (increased load but within capacity)
  • Business Impact: Low – WAF performed as designed, no service disruption

5. Containment & Remediation Actions:

  • Immediate Containment (08:45-09:30):
    • IP 45.134.225[.]67 added to WAF blocklist (AWS WAF IP Set)
    • Network firewall rule added to block IP at perimeter (Palo Alto)
    • Cloudflare security level set to “I’m Under Attack” for 1 hour
  • Vulnerability Remediation (09:30-10:30):
    • Rate Limiting Fix: Updated AWS WAF rate-based rule from 1000 to 10 requests per 5 minutes for /api/v1/auth/*
    • Additional WAF Rules: Deployed AWS Managed Rule “SQLi_Body” with COUNT action
    • Application Hardening: Added additional input validation middleware
  • Monitoring Enhancements:
    • Created CloudWatch alarm for WAF block count > 50 in 5 minutes
    • Added SIEM correlation rule: “Multiple 403 from WAF for same IP + endpoint”
    • Subscribed to threat intelligence feed for SQLi scanner IPs

6. Indicators of Compromise (IOCs):

TYPE         INDICATOR                              DESCRIPTION
IP           45.134.225[.]67                           Attacker IP
Payload      admin' OR '1'='1'--                SQLi authentication bypass
User-Agent   Mozilla/5.0... (varies)            Attempted to mimic legitimate
HTTP Path    /api/v1/auth/login                 Targeted endpoint
HTTP Method  POST                               Method used

BLOCKING RECOMMENDATIONS:
- Add to all WAF blocklists
- Add to network firewall deny rules
- Add to threat intelligence blacklists

7. Root Cause Analysis:

  • Primary Cause: Automated scanning of public-facing application by threat actor.
  • Contributing Factors:
    1. Rate limiting misconfiguration allowed excessive attempts (1000/min instead of 10)
    2. IP not preemptively blocked despite being in threat intel feeds
    3. No geographic blocking for high-risk regions where we don’t operate

8. Recommendations & Lessons Learned:

  • Technical Controls:
    1. Implement geographic blocking for regions where we have no customers (Russia, North Korea, etc.)
    2. Deploy AWS WAF Bot Control (paid feature) to better detect automated tools
    3. Consider implementing Web Application Firewall with machine learning capabilities
  • Process Improvements:
    1. Threat Intel Integration: Automate IP blocking from threat intelligence feeds
    2. Regular Configuration Audits: Quarterly review of WAF and security group configurations
    3. Incident Response Playbook: Create specific playbook for “WAF SQLi Alert”
  • Application Security:
    1. Input Validation: Add additional validation at API gateway level
    2. Security Headers: Implement Content Security Policy (CSP) and other security headers
    3. API Security: Consider implementing API gateway with additional security controls

9. Testing & Validation:

  • WAF Rules Tested: Verified new rate limiting blocks after 10 requests
  • Application Testing: Conducted penetration test on authentication endpoint – no SQLi vulnerability found
  • Monitoring Validation: Confirmed new CloudWatch alarms trigger appropriately

10. Conclusion:

This was a targeted but unsuccessful attempt to exploit a public-facing application. The WAF performed as expected, blocking all malicious requests. While no compromise occurred, the incident revealed configuration weaknesses that have been addressed. The application remains secure against SQL injection attacks due to proper coding practices (parameterized queries).

Closure Justification:

  • All malicious activity blocked at perimeter
  • Configuration vulnerabilities identified and remediated
  • No evidence of successful exploitation
  • Monitoring and detection capabilities enhanced
  • Threat actor IP permanently blocked across all security layers

Leave a Comment