Skip to content

Here are few exercises to practice how to implement API Security with NGINX App-Protect WAF.

Notifications You must be signed in to change notification settings

laurentpf5/api-security-lab

Folders and files

NameName
Last commit message
Last commit date

Latest commit

0e55608 · Nov 17, 2021

History

15 Commits
Nov 17, 2021
Nov 17, 2021
Nov 17, 2021
Nov 17, 2021
Nov 17, 2021
Nov 17, 2021
Nov 17, 2021
Nov 17, 2021
Nov 17, 2021
Nov 17, 2021
Nov 17, 2021
Nov 17, 2021
Nov 17, 2021
Nov 17, 2021
Nov 17, 2021
Nov 17, 2021
Nov 17, 2021
Nov 17, 2021
Nov 17, 2021
Nov 17, 2021

Repository files navigation

api-security-lab

This repo contains files for customers and partners to practice an API Security with NGINX App-Protect WAF.

To demonstrate the capabilities, F1 Ergast is the application chosen. Two instances are deployed as containers and will serve the requests through NGINX+ acting as an API GW. An image of NGINX App-Protect is built with the latest attack signature and threat campaign definitions.

The list of Labs is inspired by the OWASP API Security

Labs

  • Secure Transport
  • HTTP Method enforcements
  • Manage Endpoints
  • Enforce Input Validation with OAS in NGNINX App-Protect WAF
  • To be added Activate Signatures and Protect from Bots

Environment

The demo environment is made of :

  • Two containers running F1 Ergast API App
  • One NGINX+ Container configured with NGINX App-Protect

Instructions
To build and start the environment,
$ docker-compose -f Docker-compose-api-lab.yaml up -d
To check every component is setup,
$ docker ps This must let you with 5 containers running

  • ergast01
  • ergast02
  • elasticsearch
  • ergastdb
  • approtect

Make sure that you have a host entry similar to the following :
xxx.xxx.xxx.xxx api.apigwdemo.com

Access the http://api.apigwdemo:5601/ to view the logs of NGINX App Protect

Secure Transport
The NGINX API Gateway is configured with SSL. You can check the configuration in nginx.conf and try the connection to https://api.apigwdemo.com/api/f1/drivers either with the browser, or on the command line :
$ curl -k https://api.apigwdemo.com/api/f1/drivers

HTTP Method enforcements
An Application Security Policy in NGINX App Protect will allow you block the PUT method. To test it :
Copy the policy file for NGINX App Protect to load it with
$ cp policies/apisecurity-method.json labpolicy.json
Reload NGINX App Protect with the new configuration with
docker exec NGINX_CONTAINER_ID nginx -s reload
Issue the following request
$ curl -k -X PUT https://api.apigwdemo.com/api/f1/drivers

Manage enpoints
An Application Security Policy in NGINX App Protect will allow you block the PUT method. To test it :
Copy the policy file for NGINX App Protect to load it with
$ cp policies/apisecurity-url.json labpolicy.json
Reload NGINX App Protect with the new configuration with
docker exec NGINX_CONTAINER_ID nginx -s reload
Issue the following request
$ curl -k https://api.apigwdemo.com/api/f2/drivers

Enforce Input Validation with OAS
An Application Security Policy in NGINX App Protect will allow you block the PUT method. To test it :
Copy the policy file for NGINX App Protect to load it with
$ cp policies/apisecurity-oas.json labpolicy.json
Reload NGINX App Protect with the new configuration with
docker exec NGINX_CONTAINER_ID nginx -s reload
Issue the following request
$ curl -k -X POST -d 'blabla' https://api.apigwdemo.com/api/f1/driver

About

Here are few exercises to practice how to implement API Security with NGINX App-Protect WAF.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published