Here are few exercises to practice how to implement API Security with NGINX App-Protect WAF.

Overview

api-security-lab

This repo contains files for customers and partners to practice an API Security with NGINX App-Protect WAF.

To demonstrate the capabilities, F1 Ergast is the application chosen. Two instances are deployed as containers and will serve the requests through NGINX+ acting as an API GW. An image of NGINX App-Protect is built with the latest attack signature and threat campaign definitions.

The list of Labs is inspired by the OWASP API Security

Labs

  • Secure Transport
  • HTTP Method enforcements
  • Manage Endpoints
  • Enforce Input Validation with OAS in NGNINX App-Protect WAF
  • To be added Activate Signatures and Protect from Bots

Environment

The demo environment is made of :

  • Two containers running F1 Ergast API App
  • One NGINX+ Container configured with NGINX App-Protect

Instructions
To build and start the environment,
$ docker-compose -f Docker-compose-api-lab.yaml up -d
To check every component is setup,
$ docker ps This must let you with 5 containers running

  • ergast01
  • ergast02
  • elasticsearch
  • ergastdb
  • approtect

Make sure that you have a host entry similar to the following :
xxx.xxx.xxx.xxx api.apigwdemo.com

Access the http://api.apigwdemo:5601/ to view the logs of NGINX App Protect

Secure Transport
The NGINX API Gateway is configured with SSL. You can check the configuration in nginx.conf and try the connection to https://api.apigwdemo.com/api/f1/drivers either with the browser, or on the command line :
$ curl -k https://api.apigwdemo.com/api/f1/drivers

HTTP Method enforcements
An Application Security Policy in NGINX App Protect will allow you block the PUT method. To test it :
Copy the policy file for NGINX App Protect to load it with
$ cp policies/apisecurity-method.json labpolicy.json
Reload NGINX App Protect with the new configuration with
docker exec NGINX_CONTAINER_ID nginx -s reload
Issue the following request
$ curl -k -X PUT https://api.apigwdemo.com/api/f1/drivers

Manage enpoints
An Application Security Policy in NGINX App Protect will allow you block the PUT method. To test it :
Copy the policy file for NGINX App Protect to load it with
$ cp policies/apisecurity-url.json labpolicy.json
Reload NGINX App Protect with the new configuration with
docker exec NGINX_CONTAINER_ID nginx -s reload
Issue the following request
$ curl -k https://api.apigwdemo.com/api/f2/drivers

Enforce Input Validation with OAS
An Application Security Policy in NGINX App Protect will allow you block the PUT method. To test it :
Copy the policy file for NGINX App Protect to load it with
$ cp policies/apisecurity-oas.json labpolicy.json
Reload NGINX App Protect with the new configuration with
docker exec NGINX_CONTAINER_ID nginx -s reload
Issue the following request
$ curl -k -X POST -d 'blabla' https://api.apigwdemo.com/api/f1/driver

You might also like...
Simple class that implement a CAPTCHA for your PHP App.

simple-captcha Simple class that implement a CAPTCHA for your PHP App. Installation Use the package manager composer to install. composer require will

Practice-php - Repositório para praticar a sintaxe de php.

Configuração Inicial para desenvolver em PHP Instalando o PHP no Linux (Ubuntu) sudo apt install php libapache2-mod-php sudo apt-get update Utilizand

A simple but scalable FFA Practice Core featuring one Game Mode & Vasar PvP aspects.
A simple but scalable FFA Practice Core featuring one Game Mode & Vasar PvP aspects.

A simple but scalable FFA Practice Core featuring one Game Mode & Vasar PvP aspects. An example of this Plugin can be found in-game at ganja.bet:19132!

PHP Machine Learning Rain Forecaster is a simple machine learning experiment in predicting rain based on a few forecast indicators.

PHP Machine Learning Rain Forecaster is a simple machine learning experiment in predicting rain based on a few forecast indicators.: forecasted "HighT

Contains a few tools usefull for making your test-expectations agnostic to operating system specifics

PHPUnit Tools to ease cross operating system Testing make assertEquals* comparisons end-of-line (aka PHP_EOL) character agnostic Make use of EolAgnost

Ip2region is a offline IP location library with accuracy rate of 99.9% and 0.0x millseconds searching performance. DB file is ONLY a few megabytes with all IP address stored. binding for Java,PHP,C,Python,Nodejs,Golang,C#,lua. Binary,B-tree,Memory searching algorithm

Ip2region是什么? ip2region - 准确率99.9%的离线IP地址定位库,0.0x毫秒级查询,ip2region.db数据库只有数MB,提供了java,php,c,python,nodejs,golang,c#等查询绑定和Binary,B树,内存三种查询算法。 Ip2region特性

Yclas Self Hosted is a powerful script that can transform any domain into a fully customizable classifieds site within a few seconds.

Yclas 4.4.0. Description Yclas self-hosted is a powerful script that can transform any domain into a fully customizable classifieds site within a few

A few Fat-Free specific extensions for Tracy Debugger to help debug your code quickly.

Fat-Free Tracy Extensions This is a set of extensions to make working with Fat-Free a little richer. F3 - Analyze all hive variables. Database - Analy

School stuff, nothing to see here

Come importare/aggiornare i dati su altervista Scaricare la repo (Code Download as ZIP) Estrai lo zip In database_backup tasto destro su dantoniog.s

Owner
null
Dobren Dragojević 6 Jun 11, 2023
Magento-Vagrant-Puppet-Nginx - Installs magento and a nginx server

Magento-Vagrant-Puppet-Nginx Installs Magento MySQL PHP PHP-FPM Nginx n98-magerun Setup git submodule init git submodule update vagrant up Modify pupp

Christian Münch 61 Aug 10, 2022
PHP exercises from my course at ETEC and some of my own play-around with PHP

etec-php-exercises PHP exercises from my course at ETEC and some of my own play-around with PHP Translations: Português (BR) Projects Project Descript

Luis Felipe Santos do Nascimento 6 May 3, 2022
For beginner programmers, a list of exercises.

Hacktoberfest 2021 Junte-se ao Hacktoberfest - Aqui! Support open source throughout October! Hacktoberfest incentiva a participação na comunidade de c

Igor Gomes 5 Oct 18, 2022
A web app for the resolution of a mobile game in wich you have 4 images and a list of letters, then a few boxes to fill with the word connecting the four images.

4images_1mot_solutions A web app for the resolution of a mobile game in wich you have 4 images and a list of letters, then a few boxes to fill with th

FOTSO Claude 3 Jan 13, 2022
Integrate reCAPTCHA using async HTTP/2, making your app fast with a few lines.

ReCaptcha Integrate reCAPTCHA using async HTTP/2, making your app fast with a few lines. use Illuminate\Support\Facades\Route; Route::post('login', f

Laragear 14 Dec 6, 2022
Cbe frontauth - A Textpattern plugin to manage backend connections from frontend and protect content from non-logged users

cbe_frontauth This client-side plugin lets your users (or you) manage backend connection from frontend, i.e. connect and disconnect as they (you) woul

null 4 Jan 31, 2020
A small PHP Script to protect your site against DDoS attack .

Anti-DDoS A small PHP Script to protect your site against DDoS attack. Description Most of bots can't execute JavaScript code or can execute code part

Arman Msv 3 Dec 20, 2022
Exploiting and fixing security vulnerabilities of an old version of E-Class. Project implemented as part of the class YS13 Cyber-Security.

Open eClass 2.3 Development of XSS, CSRF, SQLi, RFI attacks/defences of an older,vulnerable version of eclass. Project implemented as part of the clas

Aristi_Papastavrou 11 Apr 23, 2022
Here is an Instagram Guest API. Gather all public information as JSON format without logging yourself.

Here is an Instagram Guest API. Gather all public information as JSON format without logging yourself. It's all automation and time saving.

Quatrecentquatre 1 Nov 2, 2021