Skip to content

cis_6_10 — Web Application Firewall (WAF) is enabled for Application Gateway

Summary

Severity: High · Pillar: Network · Chain role: ENABLER

Description

Application Gateway without WAF enabled allows OWASP Top 10 attacks such as SQL injection and cross-site scripting to reach backend web applications.

Mapping

Framework Control / Reference
NIST 800-53 SC-7
NIST 800-207
CIS Azure 6.10
MITRE ATT&CK Technique T1190
MITRE ATT&CK Tactic Initial Access
Zero-Trust Tenet
Framework tags cis-azure-2.0, nist-800-53

Source

Rule defined at policies/azure/cis/networking/cis_6_10.rego.

View on GitHub