Challenge 3 — The Secret Path¶

Difficulty: Medium — Skills: URI analysis, attack pattern correlation

Scenario¶

An attacker from IP 203.0.113.77 has been probing your application with multiple attack types — SQL injection, XSS, command injection, path traversal, and remote file inclusion. However, all attacks are targeting a single specific API endpoint.

Your mission: Identify the URI path being targeted.

Prerequisites¶

Lab infrastructure deployed
WAF logs flowing to Log Analytics

Generate Challenge Traffic¶

Script: challenge-traffic.ps1

cd scripts/
.\challenge-traffic.ps1 -TargetUrl "http://<your-appgw-fqdn>" -Challenge 3

Wait 10-15 minutes for logs to appear in Log Analytics before investigating.

Investigation¶

Filter WAF logs by the attacker's IP and analyze which URI path is being targeted.

Hint 1 — Filter by attacker IP

Use where clientIp_s == "203.0.113.77" to isolate the attacker's traffic.

Hint 2 — Extract the path

Use extend Path = tostring(split(requestUri_s, "?")[0]) to separate path from query string.

Hint 3 — KQL Query

AzureDiagnostics
| where Category == "ApplicationGatewayFirewallLog"
| where clientIp_s == "203.0.113.77"
| extend Path = tostring(split(requestUri_s, "?")[0])
| summarize AttackTypes = dcount(ruleGroup_s), Count = count() by Path
| order by Count desc

Submit Your Answer¶

What is the full URI path being targeted? (Include leading /)

{% include "challenges/challenge-ui.html" %}

[:octicons-arrow-left-24: Challenge 2](challenge-02.md)

[Challenge 4 :octicons-arrow-right-24:](challenge-04.md)