Loading...

Azure WAF Public Preview: JavaScript Challenge

Azure WAF Public Preview: JavaScript Challenge

Microsoft has recently released JavaScript challenge in public preview for Azure WAF on Application Gateway and Azure Front Door.

 

Approximately 48% of internet traffic is generated by bots, with 30% attributed to malicious bots. These harmful bots are programmed to attack web and mobile applications for fraudulent and malevolent purposes. These bad bots are typically automated test scripts that scrape websites to manipulate SEO rankings or prices, launch denial-of-inventory attacks and commit other malicious activities. Considering the risks associated with internet-exposed web applications, it is necessary for Azure WAF to detect and mitigate the bad bots. The mitigation of these attacks is accomplished by the Azure WAF JavaScript challenge.

 

The Azure WAF JavaScript (JS) challenge feature is a non-interactive, invisible web challenge used to distinguish legitimate users from bad bots. It is an invisible check issued to legitimate users and attackers as an intermediate page. Bad bots will fail the JS challenge but real users will not. Furthermore, JS challenges eliminate friction for real users since they don’t require any intervention from humans.  Hence, Azure WAF JS challenge is an effective method to protect against bot attacks without introducing customer friction.

 

Key Features

The invisible challenge is presented when a user's request matches a specific rule, prompting the client's browser to compute the challenge without user interaction. Successful computation allows the user through, while failed attempts block malicious bots. The challenge is reissued if the user's IP address changes or if they access the page from a different domain, ensuring continuous protection.

 

BotCheck.png

 

To modify the Bot Manager managed rule actions to utilize the JavaScript Challenge, users can access the Managed Rules section within their WAF policy and customize the actions for each rule group. This flexibility ensures that the WAF can respond dynamically to various security scenarios, implementing the JavaScript Challenge as needed to maintain a secure environment.

 

Managed Rule Actions for Application Gateway:

JSAction.png

 

Managed Rule Actions for Azure Front Door:

JSAction-AFD.png

 

Creating custom rules within Azure WAF is straightforward and allows for tailored security measures. Administrators can navigate to the Web Application Firewall Policies section, select their policy, and add custom rules that specify conditions and actions such as allow, block, log, and now, JS Challenge.

 

Custom Rule Actions for Application Gateway:

Custom.png

 

Custom Rule Actions for Azure Front Door:

Custom-AFD.png

 

Additionally, the JavaScript challenge cookie has a customizable lifetime, defaulting to 30 minutes, after which the user must revalidate. You can customize the cookie lifetime from 5 minutes up to 1440 minutes (24 hours).

 

Policy Settings for Application Gateway:

PolicySetting.png

 

Policy Settings for Azure Front Door:

PolicySetting-AFD.png

 

Monitoring

When the JS Challenge is triggered, details of the event are captured in the AzureDiagnostics table, allowing administrators to track the number of challenges issued. Additionally, comprehensive logs are maintained, which record all JS Challenge instances, offering insights into the traffic patterns and security events. These logs are crucial for analyzing and understanding the nature of the threats and the effectiveness of the JS Challenge in near real-time. This level of monitoring ensures that administrators have the visibility they need to maintain robust security measures and protect their web applications from malicious activities.

 

Metrics & Logs for Application Gateway:

Metrics.png

Logs.png

 

AzureDiagnostics

| where Category == “ApplicationGatewayFirewallLog”

| where Message contains “JSChallenge”

| project TimeGenerated, clientIp_s, requestUri_s, Message, ruleSetType_s, ruleId_s, details_data_s

 

Metrics & Logs for Azure Front Door:

Metrics-AFD.png

Logs-AFD.png

 

AzureDiagnostics

| where ResourceProvider == “MICROSOFT.CDN” and Category == “FrontDoorWebApplicationFirewallLog”

| where action_s contains “JSChallenge”

| project TimeGenerated, Resource, policy_s, clientIP_s, clientPort_d, requestUri_s, details_matches_s, details_msg_s, action_s, trackingReference_s

 

Conclusion

The prevalence of bad bots in internet traffic poses a significant threat to web and mobile applications, necessitating robust defense mechanisms. Azure WAF's JavaScript challenge represents a sophisticated and user-friendly solution to this problem. By seamlessly differentiating between legitimate users and malicious bots without disrupting the user experience, Azure WAF ensures the security and integrity of Azure services. The recent release of the JavaScript challenge in public preview for Azure WAF on Application Gateway and Azure Front Door marks a pivotal advancement in cybersecurity measures. It is a testament to Microsoft's commitment to innovation and its proactive approach to safeguarding digital assets against the ever-evolving landscape of cyber threats. As cyber-attacks become more sophisticated, such preemptive measures will be crucial in maintaining the trust and reliability that users expect from Azure services.

 

Learn More

Published on:

Learn more
Azure Network Security Blog articles
Azure Network Security Blog articles

Azure Network Security Blog articles

Share post:

Related posts

Improve the “R” in RAG and embrace Agentic RAG in Azure SQL

The RAG (Retrieval Augmented Generation) pattern, which is commonly discussed today, is based on the foundational idea that the retrieval part...

9 hours ago

Primer: How to Schedule Azure Automation Runbooks to Process Microsoft 365 Data

After creating some Azure automation runbooks to process Microsoft 365 data, a schedule means that the runbook will execute. This article disc...

19 hours ago

Primer: Output Data Generated with an Azure Automation Runbook to a SharePoint List

The second part of the Azure Automation runbook primer brings us to output, specifically how to create items generated by a runbook in a Share...

1 day ago

Databricks vs Azure Synapse Analytics: A Comprehensive Comparison for Modern Data Solutions

Table of Contents Introduction Data is at the core of modern business decision-making. As companies increasingly rely on data-driven insights,...

2 days ago

Primer: How to Use Azure Automation to Run Microsoft Graph PowerShell SDK Scripts

A reader asked why it seems so difficult to use Azure Automation runbooks to process Microsoft 365 data. In fact, it's not so hard, and here's...

2 days ago

Extending Regular Expressions (Regex) Support on Azure SQL Managed Instance (MI)

We are happy to announce the Private Preview of Regular Expressions (Regex) support on Azure SQL Managed Instance (MI). This new feature bring...

3 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy