Lab 3: API Protection

Scenario

A Social Security Number (SSN) has been detected within the response body of the “getbydob” endpoint. This is a misconfiguration, as the API is not approved to handle this data type based on its Data Classification.

Take action to block usage of the “getbydob” endpoint until misconfiguration is resolved.

Expected Lab Time: 10 minutes

Task 1: Simulate Allowed Access to a Misconfigured API

  1. Using another browser tab, navigate to the the following URL.

    http://<namespace>.lab-sec.f5demos.com/swagger

    ../_images/shared-swagger-intro.png

  2. In the Demo Bank API app, navigate to the /api/customerlookup/getbydob endpoint, expand it, and click Try it out.

    ../_images/lab3-swagger-try.png

  3. Enter ‘1970/05/29’ in the DOB field, click Execute.

    ../_images/lab3-swagger-execute.png

  4. Review the response body, and the SSN within the response.

    ../_images/lab3-swagger-response.png

    Note

    A SSN in the response doesn’t match the Data Classification for this API.

Task 2: Enabled API Protection

In this task’s series of steps you will enable the API Protection feature on the previously built Load Balancer object delivering the targeted API.

  1. In the left-hand navigation of the Web App & API Protection service, click on Load Balancers > HTTP Load Balancers under the Manage section.

  2. In the resulting Load Balancers window, click on the three dots in the Action column, and the select Manage Configuration.

    ../_images/shared-103.png

  3. Click Edit Configuration in the top-right corner.

    ../_images/shared-104.png

  4. In the API Protection > API Protection Rules section, click the Configure link.

    ../_images/lab3-api-protection-config.png

  5. In the resulting API Protection Rules window, click Configure in the API Endpoints section.

    ../_images/lab3-api-endpoints-config.png

  6. Click Add Item in the API Endpoints window.

    ../_images/lab3-api-endpoints-add.png

  7. In the resulting window, update the the required fields with the following information, click Apply.

    • Name: block-endpoint

    • Action: Deny

    • API Endpoint: /api/customerlookup/getbydob

    • Method List: ANY

    ../_images/lab3-api-endpoints-apply.png

    Note

    The available endpoints are provided by the swagger previously imported, or identified by API Discovery. More than one Method can be selected for an endpoint.

  8. Review the API Endpoint deny rule and click, the Apply button.

    ../_images/lab3-api-endpoints-review.png

  9. Note that API Protection Rules are configure for the API Endpoints and click, the Apply button.

    ../_images/lab3-api-protection-apply.png

  10. Select Other Settings on the left then click on Save and Exit at the bottom right of window.

    ../_images/shared-lb-save.png

Task 3: Simulate Blocked Access to a Misconfigured API

  1. Using another browser tab, navigate to the the following URL.

    http://<namespace>.lab-sec.f5demos.com/swagger

    ../_images/shared-swagger-intro.png

  2. In the Demo Bank API app, navigate to the /api/customerlookup/getbydob endpoint, expand it, and click Try it out.

    ../_images/lab3-swagger-try.png

  3. Enter ‘1970/05/29’ in the DOB field, click Execute.

    Note

    Press Execute a couple extra times to create more events which will be reviewed in a later lab.

    ../_images/lab3-swagger-execute.png

  4. Review the response body.

    ../_images/lab3-swagger-response-403.png

    Note

    You should now be blocked from accessing the ‘getbydob’ endpoint, preventing access to sensitive data such as the SSN.

End of Lab

../_images/labend3.png