Lab 2.4: Test the Arcadia Finance Prod Security Policy

1. Now go back to Postman, Arcadia Finance >> Prod >> Test API >> PROD - buy_stocks and click Send (You should get a 200 response) Select Headers and change the content-type to text/plain instead of application/json and click Send again.

../../_images/postman-text-plain.png

Q: Given that our backend API should only accept JSON requests, is this acceptable?

  1. Go back to the Arcadia Prod security policy and select allowed URLs > asterisk and review the Header-based Content profiles again. Notice there is a default rule that allows “Any” header value if it passes signature check validation. That is why your request was accepted.
../../_images/big-ip-securitypolicy-urls-contenttype-default.png

First Strike!

Let’s see if something more malicious will get through…

3. From the Windows RDP go to Postman and expand the Prod >> Attacks folder Select Buy Stocks – Header and then select Headers on the right pane

That Keep-Alive header looks suspicious!

../../_images/postman-attack-header.png

4. Click Send on the request. Was it a success? Review the ASM Security Event Logs under Security >> Event Logs >> Application >> Requests

  1. Go back to Postman and Arcadia Finance >> Prod >> Test API folder and click send on the PROD - sell stocks and PROD - last transactions requests to verify they work

Now that we have reviewed our Production instance, let’s deploy our development version.