Overview
Goal | The protected backend has some text fields in HTML forms where user input could lead to false-positives. Because of that, the Microgateway configuration must be extended with deny rule exceptions. |
Notes | The purpose of the test strings in this exercise is to trigger a deny rule. Therefore, the request is blocked and you can practise how to configure deny rule exceptions. In real life, ensure that there is no vulnerability in the backend application where you configure deny rule exceptions. |
Preparation
- Deploy the Kubernetes exercise
- 1.Run the following commands:
- The exercise has been deployed successfully.
The exercise does not contain any licenses. Therefore, Airlock Microgateway runs as Community Edition
For more details see Features and support.
To run the exercise as Premium Edition, copy a valid license to .templates/microgateway/secret/microgateway.lic and execute kubectl apply -k . to re-deploy the Microgateway.
Instruction part 1 - Adapt the configuration to prevent false-positives on the Contact page
- 1.Connect to the website:
- ●Open the URL in your browser: https://<MINIKUBE_IP>/
- 2.Use the test strings to trigger false-positives in the following HTML fields:
- ●Search, in the top right corner
- ●After clicking on No Comments in the fields:
- ●Comment
- ●Name
- ●The HTML form to leave a comment also contains the fields Email and Website. Since the format of an email address or an URL is very clear, it is nearly impossible to have a false-positive there. Therefore, we recommend not to configure a deny rule exception, to achieve best security.
- 3.Watch the logs of the Microgateway pod.
- 4.Edit Microgateway's configuration file.
- For the mapping wordpress:
- ●deny_rule_groups[].rule_group_keys[]
- ●deny_rule_groups[].exceptions[]
- 5.Apply the new configuration.
- 6.Deploy the Microgateway with the new configuration.
- 7.Check the status of the Microgateway pod.
- 8.Connect to the website:
- ●Open the URL in your browser: https://<MINIKUBE_IP>/
- The web application should be reachable from the browser.
- 9.Watch the logs of the Microgateway pod.
- There are no WR-SG-BLOCK log messages being logged even when entering the test strings which previously triggered false positives.
Edit the file config/config.yaml and configure the following settings:
Use the (Microgateway) DSL reference to accomplish this task.
After modifying the configuration file, apply the new configuration by running the following command:
Instruction part 2 - Switch off the log only mode in the configuration
- 1.Edit Microgateway's configuration file.
- For the mapping wordpress:
- ●deny_rule_groups[].log_only: false
- 2.Apply the new configuration.
- 3.Deploy the Microgateway with the new configuration.
- 4.Check the status of the Microgateway pod.
- 5.Connect to the website:
- ●Open the URL in your browser: https://<MINIKUBE_IP>/
- The web application should be reachable from the browser.
- 6.Watch the logs of the Microgateway pod.
- There are no WR-SG-BLOCK log messages being logged even when entering the test strings which previously triggered false positives.
- Sending the test string in another parameter than tested before results in a block.
Edit the file config/config.yaml and configure the following settings:
Use the (Microgateway) DSL reference to accomplish this task.
After modifying the configuration file, apply the new configuration by running the following command:
Cleanup
- Delete Kubernetes resources from previously exercises or solutions
- 1.Run the following commands:
- All relevant Kubernetes resources in the namespace have been deleted successfully.
kubectl delete all,ing,cm,secrets,pv,pvc,sa,roles,rolebindings,clusterroles,clusterrolebindings -l purpose=microgateway-tutorial