Go to the stack outputs and look for the website URL stored in the albEndpoint output value. Test access to the site by right clicking and opening in a new tab. Note the URL for your site as this will be used throughout this workshop.
While in the stack outputs, note the UniqueId value. This Id value will be used to identify the posture of your site within the automated scanner and the associated dashboard.
While still in stack outputs, right click the link in RedTeamHostSession and open in a new tab. This will launch an AWS Systems Manager Session Manager to the host you will use to perform manual scans against your site URL.
In order to test your AWS WAF ruleset, this lab has been configured with two scanning capabilities; a Red Team Host where you can invoke manual scanning and an automated scanner which runs from outside your lab environment.
The scanner performs 10 basic tests designed to help simulate and mitigate common web attack vectors.
These basic tests are designed to provide common examples you can use to test AWS WAF functionality. You should perform thorough analysis and testing when implementing rules into your production environments.
Once you have started a Session Manager connection to your Red Team Host, the scanner script can be invoked by typing the following command:
The scanner script will run each of the tests above and report back the following information:
The logic in the scanner script color codes the response as follows:
About Scanner Tests and Colors: The color coding of the tests is provided to help to quickly assess the behavior of your WAF rules against their intended behavior. The goal is to achieve green color responses for all the tests. The purpose of the canary GET and POST requests are to ensure you have not unintentionally blocked legitimate traffic to your test site. These two tests should always return a 200 - OK response.
What are the results of running the scanner script? Were the simulated malicious requests blocked? As you can see by running the script there are several vulnerabilities that need to be addressed. In the remediate phase you will configure an AWS WAF Web ACL to block these requests. When AWS WAF blocks a web request based on the conditions that you specify, it returns HTTP status code 403 (Forbidden). For a full view of the request and response information, you can paste the Request command directly into the console and add the –debug argument.
The scanner script uses an open source HTTP client called httpie (https://httpie.org/). HTTPie—aitch-tee-tee-pie—is a command line HTTP client with an intuitive UI, JSON support, syntax highlighting, wget-like downloads, plugins, and more.
In addition to the manual scanning, automated scanning is also performed against your lab website. The automated tests are similar to the manual tests but the results are posted to a centralized scanning results dashboard along with the other workshop participants. You can identify the scanning results for your site using the UniqueId found in the CloudFormation outputs.
You can now proceed to the Remediate Phase.
This video has no audio