NGINX Modern Apps > Class 16 - Beyond Models: A Practical Guide to Protecting Your AI-Powered Apps > Protecting the Application Source | Edit on
Testing the App Security¶
We will go through testing steps to verify that our application has been successfully protected.
Let’s test the Web Application Firewall, browse to Arcadia XSS Attack.
The request will be blocked due to the XSS attack by the Web Application Firewall.
Test the API protection:
Browse to Arcadia non existing endpoint.
The request will be blocked because the Path is not defined in the enforced OpenAPI schema.
In the Jumphost Webshell run the bellow cURL command.
The request will be blocked because the email is defined OpenAPI schema as a string and not as a number.
curl -H "Content-Type: application/json;charset=UTF-8" \ --data-raw "{\"email\":112233,\"password\":\"bitcoin\"}" \ http://arcadia-re-ptdfrjlupf.lab-sec.f5demos.com/v1/login
Test that the ChatBot is protected from mallicious Bots. In the Jumphost Webshell run the bellow cURL commands.
Bot protection will block the request as it understands that this request is coming from a Bot.
# Login and get JWT token JWT_TOKEN=$(curl -s -X POST "http://arcadia-re-ptdfrjlupf.lab-sec.f5demos.com/v1/login" \ -H "Content-Type: application/json" \ -d '{"email":"sorin@nginx.com","password":"nginx"}' \ | grep -o '"jwt":"[^"]*' | cut -d'"' -f4) echo "JWT Token: $JWT_TOKEN" # Send a message to AI chat curl -s -X POST "http://arcadia-re-ptdfrjlupf.lab-sec.f5demos.com/v1/ai/chat" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $JWT_TOKEN" \ -d '{"newQuestion":"Tell me about the current market trends for cryptocurrencies."}'
Go and inspect the Security Logs
IMPORTANT NOTE Because we enabled Bot protection when you browse the next time to the Arcadia application you need to either disable the browser cache or clear it in order to make sure the browser is loading the Bot protection JavaScripts.
