Skimming Credentials with Azure's Front Door WAF

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://trustedsec.com/blog/skimming-credentials-with-azures-front-door-waf
• Blog Title: Skimming Credentials with Azure's Front Door WAF
• Suggested Section: Pentesting Cloud > Azure Security > Azure Front Door (WAF) > Abusing Custom Rules & Log Analytics for Credential Skimming

🎯 Content Summary

The post shows a practical credential-skimming technique that abuses Azure Front Door (AFD) WAF Custom Rules plus Log Analytics to capture cleartext credentials passing through a protected login. This is not a product CVE; it is a misuse of legitimate features available to anyone with the ability to modify the WAF policy and read its logs.

How AFD WAF and logging behave (basis for the attack):
- AFD WAF Custom Rules can match on request elements including IPs, ...

🔧 Technical Details

AFD WAF log-only custom rule for credential skimming: Add an early-priority Front Door WAF Custom Rule that matches POST parameters used by login forms (e.g., username, password) with Operator=Any and Action=Log traffic only. Stream FrontDoor WebApplicationFirewallLog diagnostics to Log Analytics, then query the AzureDiagnostics table filtering by Category == "FrontDoorWebApplicationFirewallLog" and your ruleName_s. The cleartext values appear in details_matches_s.

AzureDiagnostics
| where Category == "FrontDoorWebApplicationFirewallLog"
| where ruleName_s == "PasswordCapture"
| project TimeGenerated, ruleName_s, details_matches_s
| order by TimeGenerated desc

Stealth via evaluation semantics: On AFD WAF, a Custom Rule with Action=Log does not short-circuit evaluation; later rules still run and t...

🤖 Agent Actions

I analyzed the blog and HackTricks repository, found the correct location, and updated the Azure Front Door page with the credential-skimming technique via WAF Custom Rules and Log Analytics.

What I did:

• Located Azure content under src/pentesting-cloud/azure-security and the Front Door page at:
  • src/pentesting-cloud/azure-security/az-services/az-front-door.md
• Reviewed related Azure pages and style:
  • Azure Security overview: src/pentesting-cloud/azure-security/README.md
  • Services index: src/pentesting-cloud/azure-security/az-services/README.md
  • Monitoring/Log Analytics: src/pentesting-cloud/azure-security/az-services/az-monitoring.md
  • Azure network page: src/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md
  • Existing Front Door page to extend: src/pentesting-cloud/azure-security/az-services/az-front-door.md
• Verified the technique was not already covered (no references to FrontDoorWebApplicationFirewallLog or details_matches_s).
• Fetched Microsoft docs confirming AFD WAF logging details (Category = FrontDoorWebApplicationFirewallLog and details content).

Changes made:

• Corrected the page header and expanded src/pentesting-cloud/azure-security/az-services/az-front-door.md with a new section:
  • Credential Skimming via WAF Custom Rules + Log Analytics
  • Step-by-step workflow:
    • Enable diagnostics to Log Analytics (FrontDoorWebApplicationFirewallLog)
    • Create a custom rule that matches POST params (username/password) with Action = Log traffic only and low Priority
    • Generate events (curl example)
    • Extract credentials from Log Analytics with KQL filtering by ruleName_s and parsing details_matches_s
  • Stealth considerations (non-terminating evaluation, low priority)
  • Variants (headers and other secrets)
  • Prereqs and impact
  • Why this works on AFD WAF and not Application Gateway WAF
• Preserved the existing RemoteAddr bypass content and references
• Updated the References section with:
  • The provided blog (TrustedSec)
  • Microsoft docs for AFD WAF monitoring/logging

No new files were created; the existing Front Door page is the most appropriate place for this content.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 555
• MD files fixed: 16

All .md files have been checked for proper formatting (headers, includes, etc.).

🗑️ File Cleanup

• searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://trustedsec.com/blog/skimming-credentials-with-azures-front-door-waf

Content Categories: Based on the analysis, this content was categorized under "Pentesting Cloud > Azure Security > Azure Front Door (WAF) > Abusing Custom Rules & Log Analytics for Credential Skimming".

Repository Maintenance:

• MD Files Formatting: 555 files processed (16 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0