Microsoft has recently released JavaScript challenge in public preview for Azure WAF on Application Gateway and Azure Front Door.

Approximately 48% of internet traffic is generated by bots, with 30% attributed to malicious bots. These harmful bots are programmed to attack web and mobile applications for fraudulent and malevolent purposes. These bad bots are typically automated test scripts that scrape websites to manipulate SEO rankings or prices, launch denial-of-inventory attacks and commit other malicious activities. Considering the risks associated with internet-exposed web applications, it is necessary for Azure WAF to detect and mitigate the bad bots. The mitigation of these attacks is accomplished by the Azure WAF JavaScript challenge.

The Azure WAF JavaScript (JS) challenge feature is a non-interactive, invisible web challenge used to distinguish legitimate users from bad bots. It is an invisible check issued to legitimate users and attackers as an intermediate page. Bad bots will fail the JS challenge but real users will not. Furthermore, JS challenges eliminate friction for real users since they don’t require any intervention from humans.  Hence, Azure WAF JS challenge is an effective method to protect against bot attacks without introducing customer friction.

Key Features

The invisible challenge is presented when a user's request matches a specific rule, prompting the client's browser to compute the challenge without user interaction. Successful computation allows the user through, while failed attempts block malicious bots. The challenge is reissued if the user's IP address changes or if they access the page from a different domain, ensuring continuous protection.

To modify the Bot Manager managed rule actions to utilize the JavaScript Challenge, users can access the Managed Rules section within their WAF policy and customize the actions for each rule group. This flexibility ensures that the WAF can respond dynamically to various security scenarios, implementing the JavaScript Challenge as needed to maintain a secure environment.

Managed Rule Actions for Application Gateway:

Managed Rule Actions for Azure Front Door:

Creating custom rules within Azure WAF is straightforward and allows for tailored security measures. Administrators can navigate to the Web Application Firewall Policies section, select their policy, and add custom rules that specify conditions and actions such as allow, block, log, and now, JS Challenge.

Custom Rule Actions for Application Gateway:

Custom Rule Actions for Azure Front Door:

Additionally, the JavaScript challenge cookie has a customizable lifetime, defaulting to 30 minutes, after which the user must revalidate. You can customize the cookie lifetime from 5 minutes up to 1440 minutes (24 hours).

Policy Settings for Application Gateway:

Policy Settings for Azure Front Door:

Monitoring

When the JS Challenge is triggered, details of the event are captured in the AzureDiagnostics table, allowing administrators to track the number of challenges issued. Additionally, comprehensive logs are maintained, which record all JS Challenge instances, offering insights into the traffic patterns and security events. These logs are crucial for analyzing and understanding the nature of the threats and the effectiveness of the JS Challenge in near real-time. This level of monitoring ensures that administrators have the visibility they need to maintain robust security measures and protect their web applications from malicious activities.

Metrics & Logs for Application Gateway:

AzureDiagnostics

| where Category == “ApplicationGatewayFirewallLog”

| where Message contains “JSChallenge”

| project TimeGenerated, clientIp_s, requestUri_s, Message, ruleSetType_s, ruleId_s, details_data_s

Metrics & Logs for Azure Front Door:

AzureDiagnostics

| where ResourceProvider == “MICROSOFT.CDN” and Category == “FrontDoorWebApplicationFirewallLog”

| where action_s contains “JSChallenge”

| project TimeGenerated, Resource, policy_s, clientIP_s, clientPort_d, requestUri_s, details_matches_s, details_msg_s, action_s, trackingReference_s

Conclusion

The prevalence of bad bots in internet traffic poses a significant threat to web and mobile applications, necessitating robust defense mechanisms. Azure WAF's JavaScript challenge represents a sophisticated and user-friendly solution to this problem. By seamlessly differentiating between legitimate users and malicious bots without disrupting the user experience, Azure WAF ensures the security and integrity of Azure services. The recent release of the JavaScript challenge in public preview for Azure WAF on Application Gateway and Azure Front Door marks a pivotal advancement in cybersecurity measures. It is a testament to Microsoft's commitment to innovation and its proactive approach to safeguarding digital assets against the ever-evolving landscape of cyber threats. As cyber-attacks become more sophisticated, such preemptive measures will be crucial in maintaining the trust and reliability that users expect from Azure services.

Learn More

• What is Azure Web Application Firewall on Azure Application Gateway? - Azure Web Application Firewall | Microsoft Learn
• What is Azure Web Application Firewall on Azure Front Door? | Microsoft Learn
• Azure Web Application Firewall JavaScript challenge (preview) overview | Microsoft Learn
• Azure Web Application Firewall monitoring and logging | Microsoft Learn