Skimming Credentials with Azure's Front Door WAF
ID: 63505863-40b9-5d80-b3a9-de10a84a68a4
STIX ID: report--63505863-40b9-5d80-b3a9-de10a84a68a4
Feed Name: TrustedSec blog
This report demonstrates a configuration abuse technique against Azure Front Door WAF: by creating a low-priority custom rule that matches POST parameters (e.g., 'username' and 'password') and setting it to 'Log traffic only', an attacker or malicious admin with rule-edit and Log Analytics read access can capture plaintext credentials in WAF logs; the write-up details prerequisites, step-by-step configuration, Log Analytics queries to retrieve captured values, and remediation recommendations such as sensitive data masking and strict access controls.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.