Challenge 4 - Task 5 of 6
Configure Web Application Firewall to Protect Web Server Against XSS Attack
Scenario
You have to protect web applications hosted on OCI from cross-site scripting (XSS) attacks. You can use the OCI Web Application Firewall (WAF) capabilities to create rules that compare against incoming requests to determine if the request contains an XSS attack payload. If a request is determined to be an attack, WAF should return the HTTP Service Unavailable (503) error.
To ensure that the configured WAF blocks the XSS attack, run the following script:[http:// /index.html? ) To complete this deployment, you have to perform the following tasks in the environment provisioned for you: Configure a Virtual Cloud Network (VCN) Create a Compute Instance and install the Web Server Create a Load Balancer and update Security List Create a WAF policy Configure Protection Rules against XSS attacks Verify the created environment against XSS attacks Note:You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1. Complete the following task in the provisioned OCI environment: 1. Create a Protection Rule with nameWAF-PBT-XSS-Protectionagainst XSS attack. for protecting web server 2. Create a New Rule Action with nameWAF-PBT-XSS-Actionwhere http response code will be 503 (Service Unavailable). SOLUTION: From the navigation menu, select Identity & Security. Navigate to Web Application Firewall and click Policies under it. In the left navigation pane, under List Scope, select the working compartment from the drop-down menu. Click the IAD-SP-PBT-WAF-01_99233424-lab.user01 WAF policy to add a protection rule. On the policy details page, click Protections under Policy. In the Protection section on the console, click Manage request protection rules. Click Add Request Protection Rule. In the Add protection rule dialog box, enter the following details: a) Name: WAF-PBT-XSS-Protection b) Conditions: Do not add any condition. c) Under Rule action - Action name: Select Create New Action from the drop-down menu. In the Add Action dialog box, enter the following details: a) Name: WAF-PBT-XSS-Action b) Type: Return HTTP Response c) Response code: Select ''503 Service unavailable'' from the drop-down menu. d) Response page body: Type ''Service Unavailable: Web Server is secured against XSS attacks.'' e) Click Add action. Under Protection Capabilities, click Choose protection capabilities. In the Choose protection capabilities dialog box, complete the following: a) Filter by tags: Type ''xss'' and press Enter. b) Filter by version: Latest c) Protection list: Check all protections. Select the check box in the header to add all. d) Click Choose protection capabilities. e) Review and click Add request protection rule. f) Click Save Changes in the Manage Request Protection Rules dialog box. The rule you created appears in the list. The WAF policy will update and get back to Active state.
Which Virtual Cloud Network (VCN) configuration within a region will allow successful local peering using a local peering gateway? (Choose the best Answer.)
Challenge 4 - Task 4 of 6
Configure Web Application Firewall to Protect Web Server Against XSS Attack
Scenario
You have to protect web applications hosted on OCI from cross-site scripting (XSS) attacks. You can use the OCI Web Application Firewall (WAF) capabilities to create rules that compare against incoming requests to determine if the request contains an XSS attack payload. If a request is determined to be an attack, WAF should return the HTTP Service Unavailable (503) error.
To ensure that the configured WAF blocks the XSS attack, run the following script:[http:// /index.html? ) To complete this deployment, you have to perform the following tasks in the environment provisioned for you: Configure a Virtual Cloud Network (VCN) Create a Compute Instance and install the Web Server Create a Load Balancer and update Security List Create a WAF policy Configure Protection Rules against XSS attacks Verify the created environment against XSS attacks Note:You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1. Complete the following task in the provisioned OCI environment: Create a WAF policy with the nameIAD-SP-PBT-WAF-01_99233424-lab.user01 Eg: IAD-SP-PBT-WAF-01_99232403-lab.user02 SOLUTION: From the navigation menu, select Identity & Security. Navigate to Web Application Firewall and click Policies under it. From the left navigation pane, under List Scope, select <your working compartment> from the drop-down menu. Click Create WAF Policy. The Create WAF Policy dialogue box appears. Creating a WAF policy consists of the following sections accessible from the left-side navigation: a) Basic information b) Access control c) Rate limiting d) Protections e) Select enforcement point f) Review and create. In the Basic Information section: a) Name: IAD-SP-PBT-WAF-01_99233424-lab.user01 b) WAF Policy Compartment: Select your working compartment c) Action: Keep the default preconfigured actions; do not edit. d) Click the Select enforcement point section accessible from the left-side navigation. Note: You will configure the other section later in this practice. You will directly configure the Enforcement point. In the Select enforcement point section:a) Add Firewalls: Select a load balancer IAD-SP-PBT-LB-01 in your current compartment from the list. b) Click Next for Review and Create. Under the Review and Create Section:a) Verify the enforcement point added in the previous step. Click Create WAF Policy. The Create WAF Policy dialogue box closes, and you are returned to the WAF Policy page. The WAF policy you created is listed.
Challenge 3 - Task 4 of 4
Set Up a Bastion Host to Access the Compute Instance in a Private Subnet Scenario
A compute instance is provisioned in a private subnet that is not accessible through the Internet. To access the compute instance resource in a private subnet, you must provide a time-bound SSH session without deploying and maintaining a public subnet and a jump server, which eliminates the hassle and potential attack surface from remote access.
To complete this deployment, you have to perform the following tasks in the environment provisioned for you:
* Configure a Virtual Cloud Network (VCN) and a Private Subnet.
* Provision a Compute Instance in the private subnet and enable Bastion Plugin.
* Create a Bastion and Bastion session.
* Connect to a compute instance using Managed SSH session.
Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1
Complete the following tasks in the provisioned OCI environment:
Connect to a compute instance using a Managed SSH Bastion session from your local machine terminal or Cloud shell.
Solutions:
From the navigation menu, select Identity & Security and then click Bastion.
In the left navigation pane, select your working compartment under List Scope from the drop-down menu.
Click the SPPBTBASTION992831403labuser13 bastion.
Click the three dots next to the PBT-1-Session-01 managed SSH session to open the Actions menu and click the View SSH command.
Click Copy next to the SSH command and Close. (Copy the SSH command to a Notepad file)
Use a Notepad text editor to replace
a. For example:
perl
ssh -i ssh-key-2023-08-02.key -o ProxyCommand='ssh -i ssh-key-2023-08-02.key -w %h:%p -p 22 ocid1.bastionsession.oc1.iad.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@host.bastion.us-ashburn-1.oci.oraclecloud.com' -p 22 opc@10.0.1.162
Click the Cloud Shell icon at the right of the OCI console header.
Verify that you are in the home directory. a.cd ~
Upload the private key to the cloud shell you downloaded to your workstation earlier. Reference to upload file to cloud shell.
The file will be named similarly to ssh-key-<date>.key.
Locate and change the permission of the private key by executing the following commands: a.lsb.chmod 400
Run the SSH command to connect the compute instance in the private subnet. a. For example:
perl
ssh -i ssh-key-2023-08-02.key -o ProxyCommand='ssh -i ssh-key-2023-08-02.key -w %h:%p -p 22 ocid1.bastionsession.oc1.iad.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@host.bastion.us-ashburn-1.oci.oraclecloud.com' -p 22 opc@10.0.1.162
Note: Enter yes in response to ''Are you sure you want to continue connecting (yes/no)?'' 13. Verify the connected instance's Private IP address. a.ifconfig
Take note of the inet/IP address for the ens3 interface in the output and compare it to the instance Private IP address created in this lab, i.e. PBT-BAS-VM-01.
Congratulations! You have successfully created an instance, enabled Bastion, and created a Bastion and session to connect the resources to a private endpoint.
Challenge 4 - Task 4 of 6
Configure Web Application Firewall to Protect Web Server Against XSS Attack
Scenario
You have to protect web applications hosted on OCI from cross-site scripting (XSS) attacks. You can use the OCI Web Application Firewall (WAF) capabilities to create rules that compare against incoming requests to determine if the request contains an XSS attack payload. If a request is determined to be an attack, WAF should return the HTTP Service Unavailable (503) error.
To ensure that the configured WAF blocks the XSS attack, run the following script:[http:// /index.html? ) To complete this deployment, you have to perform the following tasks in the environment provisioned for you: Configure a Virtual Cloud Network (VCN) Create a Compute Instance and install the Web Server Create a Load Balancer and update Security List Create a WAF policy Configure Protection Rules against XSS attacks Verify the created environment against XSS attacks Note:You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1. Complete the following task in the provisioned OCI environment: Create a WAF policy with the nameIAD-SP-PBT-WAF-01_99233424-lab.user01 Eg: IAD-SP-PBT-WAF-01_99232403-lab.user02 SOLUTION: From the navigation menu, select Identity & Security. Navigate to Web Application Firewall and click Policies under it. From the left navigation pane, under List Scope, select <your working compartment> from the drop-down menu. Click Create WAF Policy. The Create WAF Policy dialogue box appears. Creating a WAF policy consists of the following sections accessible from the left-side navigation: a) Basic information b) Access control c) Rate limiting d) Protections e) Select enforcement point f) Review and create. In the Basic Information section: a) Name: IAD-SP-PBT-WAF-01_99233424-lab.user01 b) WAF Policy Compartment: Select your working compartment c) Action: Keep the default preconfigured actions; do not edit. d) Click the Select enforcement point section accessible from the left-side navigation. Note: You will configure the other section later in this practice. You will directly configure the Enforcement point. In the Select enforcement point section:a) Add Firewalls: Select a load balancer IAD-SP-PBT-LB-01 in your current compartment from the list. b) Click Next for Review and Create. Under the Review and Create Section:a) Verify the enforcement point added in the previous step. Click Create WAF Policy. The Create WAF Policy dialogue box closes, and you are returned to the WAF Policy page. The WAF policy you created is listed.
Currently there are no comments in this discussion, be the first to comment!