Step 14 - Protect Arcadia API

Context

As a reminder, in Steps 9 and 10, we deployed NAP in CentOS.

  1. Step 9 manually

  2. Step 10 via CI/CD pipelines

The Arcadia web application has several APIs in order to:

  1. Buy stocks

  2. Sell stocks

  3. Transfer money to friends

In order to protect these APIs, we will push (or pull) an OpenAPI specification file into NAP so that it can build the WAF policy from this file.

You can find the Arcadia Application OAS3 file here : https://app.swaggerhub.com/apis/F5EMEASSA/Arcadia-OAS3/2.0.1-schema

../../_images/swaggerhub.png

Note

As you can notice, there are 4 URLs in this API. And a JSON schema has been created so that every JSON parameter is known.

Steps for the lab

  1. SSH (or WebSSH) to App Protect in CentOS

  2. Go to cd /etc/nginx

  3. ls and check the files created during the previous CI/CD pipeline job

    [centos@ip-10-1-1-7 nginx]$ ls
app-protect-log-policy.json       conf.d          koi-utf  mime.types  NginxApiSecurityPolicy.json  nginx.conf.orig          NginxStrictPolicy.json  uwsgi_params
app-protect-security-policy.json  fastcgi_params  koi-win  modules     nginx.conf                   NginxDefaultPolicy.json  scgi_params             win-utf

    Note

    You can notice a NAP policy NginxApiSecurityPolicy.json exists. This is template for API Security. We will use it.

  4. Edit sudo vi NginxApiSecurityPolicy.json and modify it with the link to the OAS file for Arcadia API. This file resides in SwaggerHub. Don’t forget the {}

    {
"policy" : {
    "name" : "app_protect_api_security_policy",
    "description" : "NGINX App Protect API Security Policy. The policy is intended to be used with an OpenAPI file",
    "template": {
        "name": "POLICY_TEMPLATE_NGINX_BASE"
    },

    "open-api-files" : [
        {
            "link": "https://api.swaggerhub.com/apis/F5EMEASSA/Arcadia-OAS3/2.0.1-schema/swagger.json"
        }
    ],

    "blocking-settings" : {
        "violations" : [
            {
...

  5. Now, edit sudo vi nginx.conf and modify it as below. We refer to the new WAF policy created previously

    user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;

load_module modules/ngx_http_app_protect_module.so;

events {
    worker_connections 1024;
}

http {
    include          /etc/nginx/mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    server {
        listen 80;
        server_name localhost;
        proxy_http_version 1.1;

        app_protect_enable on;
        app_protect_policy_file "/etc/nginx/NginxApiSecurityPolicy.json";
        app_protect_security_log_enable on;
        app_protect_security_log "/etc/nginx/log-default.json" syslog:server=10.1.20.6:5144;

        location / {
            resolver 10.1.1.9;
            resolver_timeout 5s;
            client_max_body_size 0;
            default_type text/html;
            proxy_pass http://k8s.arcadia-finance.io:30274$request_uri;
        }
    }
}

  6. Now, restart the NGINX service sudo systemctl restart nginx

Test your API

  1. RDP to Windows Jumphost with credentials user:user

  2. Open Postman`

  3. Open Collection Arcadia API

    ../../_images/collec.png

  4. Send your first API Call with Last Transactions. You should see the last transactions. This is just a GET.

    ../../_images/last_trans.png

  5. Now, send a POST, with POST Buy Stocks. Check the request content (headers, body), and compare with the OAS3 file in SwaggerHub.

    ../../_images/buy.png

  6. Last test, send an attack. Send POST Buy Stocks XSS attack. Your request will be blocked.

    ../../_images/buy_attack.png

  7. Check in ELK the violation.

  8. You can make more tests with the other API calls