GraphLattice
← All field notes
azurewaf tamperingfor administrators

When a WAF in Detection mode protects nothing: Front Door edge tampering

A privileged config change can flip a Front Door WAF from Prevention to Detection and expose the origin directly. The flip is the incident, recorded before any successful exploit.

· GraphLattice · 2 min read

The lock is still on the door, but the door is open. That is what happens when an attacker flips your Front Door WAF to log-only and opens the backend origin to direct traffic. The web attacks the WAF used to block now pass straight through.

How the attack works

An attacker with Contributor on the edge resources weakens the protections from the control plane. The WAF policy mode is switched from Prevention to Detection, so rules log but no longer block. A managed rule set is disabled. Then the origin or route config is edited so the backend accepts traffic directly rather than only via Front Door. With the WAF passive and the origin exposed, requests that were previously blocked reach the origin and succeed. The Activity Log records the mode flip, the disabled rule set, and the origin edits before any successful exploitation. In ATT&CK terms this is T1562, Impair Defenses, paired with T1190, Exploit Public-Facing Application.

Why it works

Detection mode looks like protection but blocks nothing. The control-plane change is quiet, and an exposed origin that accepts direct traffic removes the edge entirely. Teams watching only for attack traffic miss the configuration change that enabled it.

How to fix it

The config change is the incident. Restore the WAF to Prevention with the managed rule set from source, re-lock the origin to accept only Front Door traffic via a service tag or NSG and the origin host header, and revoke the role that edited the edge. A single IP block while the WAF stays in Detection blocks nothing. To prevent recurrence, manage WAF and origin config as code with enforced state, alert on WAF mode and rule-set changes, and gate edge edits behind PIM. For impact, remember Detection mode still logged the would-be blocks: correlate those with the origin’s own logs to scope what was actually served.

Practice it

We built this as a GraphLattice Range scenario so administrators can rehearse spotting the WAF mode flip and restoring real protection at the edge.

More field notes

Browse all →

Azure Policy tampering: a green dashboard that is lying to you

Edit the policy and you turn off the guardrail and the auditor at once. A deny poli…

Kudu console to managed-identity token: stopping App Service credential theft

App Service ships an interactive Kudu console. Any Contributor can use it to grab t…

Azure Run Command: how a VM contributor becomes subscription owner

A user with Contributor on a VM can run code as the VM and borrow its managed ident…