Lab 2: API Inventory

Scenario

There was an update to Customer Lookup controller, a new endpoint “getbyheroname” was added, allowing the lookup of a customer’s secret identify. However, this endpoint was not intended for release and was not approved for production.

We need to ensure that unapproved endpoints cannot be consumed, both now and in the future.

Expected Lab Time: 15 minutes

Note

This lab uses a pre-build shared API Definition. Refer to Lab 2 Advanced for additional step on how to download and upload a swagger file and create a API Definition using the newly created OpenAPI file.

Task 1: Simulate Allowed Access to a Shadow API

  1. Using another browser tab, navigate to the the following URL.

    http://<namespace>.lab-sec.f5demos.com/swagger

    ../_images/shared-swagger-intro.png

  2. In the Demo Bank API app, navigate to the /api/customerlookup/getbyheroname endpoint, expand it, and click Try it out.

    ../_images/lab2-swagger-try.png

    Note

    The ‘getbyheroname’ is a shadow API endpoint that is not approved for use. A shadow API refers to an undocumented or unintended API endpoint that exists alongside officially supported APIs, often posing security or operational risks due to lack of visibility or management.

  3. Enter ‘Iron Man’ in the “heroname” field.. Click Execute.

    ../_images/lab2-swagger-execute.png

  4. Review the response body. It returns the customer information.

    ../_images/lab2-swagger-response.png

    Note

    In the next steps, we will address this issue by blocking access to the shadow API endpoints.

Task 2: API Definition

In this task’s series of steps you will create a API Definition using a shared OpenAPI object.

  1. In the left-hand navigation of the Web App & API Protection service under Manage, mouse over API Management and click on API Definition from the slide out.

    ../_images/lab2-def-apidef.png

  2. In the resulting API Definition window, click Add API Definition in the main window area as shown.

    ../_images/lab2-def-add.png

  3. In the resulting New API Definition window, input demobank-api-def for the Name under the Metadata section.

  4. In the OpenAPI Specification Files section, click Add Item.

    ../_images/lab2-def-additem.png

  5. Select a Shared OpenAPI file. It will be in the format shared/api-lab-swagger/v1-25-01-31.

    ../_images/lab2-def-select-shared.png

  6. Once selected, click Save and Exit in the bottom-right corner.

    ../_images/lab2-def-save-shared.png

Task 3: Enabling API Inventory

In this task’s series of steps you will enable the API Inventory and Discovery feature on the previously built Load Balancer.

  1. In the left-hand navigation of the Web App & API Protection service, click on Load Balancers > HTTP Load Balancers under the Manage section.

  2. In the resulting Load Balancers window, click on the three dots in the Action column, and the select Manage Configuration.

    ../_images/shared-103.png

  3. Click Edit Configuration in the top-right corner.

    ../_images/shared-104.png

  4. Click API Protection in the left-hand navigation.

  5. In the API Protection section, click the drop-down arrow next to API Definition and select Enable.

    ../_images/lab2-lb-def-enable.png

  6. In the second API Definition section, click the drop-down arrow and select the pre-created API Definition <namespace>/demobank-api-def.

    ../_images/lab2-lb-def-select.png

  7. Under Validation, select API Inventory from drop-down then click on View Configuration

    ../_images/lab2-lb-def-validation.png ../_images/lab2-lb-def-validation-config.png

  8. Within API Inventory validation, under Fall Through Mode update the drop-down to Custom.

    ../_images/lab2-lb-def-validation-fall-through.png

  9. Within Custom Fall Through Rule List , click on Configure.

    ../_images/lab2-lb-def-validation-fall-through-config.png

  10. In the Custom Fall Through Rule List section, click on Add item.

    ../_images/lab2-lb-def-fall-through-add.png

  11. Update the fields with the below detail, click on Apply.

    • Name: fall-through

    • Action: Block

    • Type: Base Path

    • Base Path: /api

    ../_images/lab2-lb-def-fall-through-apply.png

  12. Review the Custom Fall Through Rule List, click Apply.

    ../_images/lab2-lb-def-fall-through-review.png

  13. Review the API Inventory validation, click Apply.

    ../_images/lab2-lb-def-validation-apply.png

  14. Select Other Settings on the left then click on Save and Exit at the bottom right of window.

    ../_images/shared-lb-save.png

Task 4: Simulate Blocked Access to a Shadow API

  1. Using another browser tab, navigate to the the following URL.

    http://<namespace>.lab-sec.f5demos.com/swagger

    ../_images/shared-swagger-intro.png

  2. In the Demo Bank API app, navigate to the /api/customerlookup/getbyheroname endpoint, expand it, and click Try it out.

    ../_images/lab2-swagger-try.png

  3. Enter ‘Iron Man’ in the “heroname” field.. Click Execute.

    Note

    Press Execute a couple extra times to create more events which will be reviewed in a later lab.

    ../_images/lab2-swagger-execute.png

  4. Review the response body.

    ../_images/lab2-swagger-response-403.png

    Note

    You should now be blocked from accessing the ‘getbyheroname’ API endpoint, as it is a shadow API, an undocumented and unapproved endpoint.

End of Lab

../_images/labend3.png