Task 1: Setup Azure Cloudshell

Setup your AzureCloud Shell

• Login to Azure Cloud Portal https://portal.azure.com/ with the provided login/password

  

• Select Yes when asked if you would like to stay signed in

  

• If you are presented with a “Welcome to Microsoft Azure” screen, click Cancel

  

• Click on Cloud Shell icon on the Top Right side of the portal

  

• Select Bash

  

• Next, you will see a “Getting started” page.

  • Select Mount Storage Account
  • Choose Internal-Training as the Storage account subscription
  • Click Apply

  

• On the Mount storage account screen

  • click Select existing storage account

  • click Next

    

• On the Select storage account screen (values in drop down)

  • choose Internal-Training as description

  • resource group will be “student number”-http101-workshop

  • storage account name will be “student number” followed by some random numbers and letters

  • File share will be cloudshellshare

  • Click Select

    

• Your Cloud shell is now configured.

Task 2: Run Terraform

Launch resources using Terraform

All the components required for Lab are deployed through terraform.

Perform the following steps in your Cloudshell console to create your environment.

1. Clone the GitHub repo git clone https://github.com/FortinetCloudCSE/fortiweb-security-foundations-201.git
2. Change directory to the cd fortiweb-security-foundations-201/terraform folder
3. Run terraform init

git clone https://github.com/FortinetCloudCSE/fortiweb-security-foundations-201.git
cd fortiweb-security-foundations-201/terraform
terraform init

4. Run the following command to apply it

   terraform apply -var="username=$(whoami)" --auto-approve

   IF THE COMMAND ABOVE RESULTS IN AN ERROR

   You can manually specify your username (found in your Azure Account email) in the command
   If your Workshop Azure account login is web31@ftntxxxxx.onmicrosoft.com, your username is web31, and the command to enter is:

   terraform apply  -var='username=web31' --auto-approve

5. Terraform deployment takes at least 10-15 min to complete.

• Once Terraform is complete you should see the output. Please copy the output to notepad.

7. To print the node VM’s login password, you can run this command

   terraform output -raw password

Task 3: Start Kali RDP

Logging into your student environment

Prereqs

• Internet Access
• Web Browser
  • Any modern browser will work. Some people have had issues with Safari. If that happens, please try Firefox or Chrome. Your student environment includes a client and server with all required software.

Start Kali RDP

For this lab, we will only need to interact with the Kali linux device. We will use guacamole to create an RDP session in your browser.

• In your browser window, type in the url below, substituting your Kali server IP.

  Warning

  Kali Linux takes about 20 minutes to fully deploy, so you may get a connection refused error. Please be patient and the login prompt will eventually appear. Even after Kali is reachable via HTTPS, some of the initial packages may still be downloading.

  Warning

  Depending on your browser, you will likely need to accept the self-signed certificate warnings.

  https://<kali-IP>:8443

• Accept all warnings and proceed to the site.

• You will be prompted to login to Apache Guacamole.

  • Enter guacadmin for Username and enter S3cur3P4ssw0rd123!
  • Click Login

• The Guacamole home page will have a list of connections. Click on the connection labeled Lab Desktop

• Note the icons at the top left of the home screen. We will be using these during the lab.

Paste text into Kali Desktop

There are portions of this lab that will require large amounts of text to be entered on the Kali desktop. To accomplish this:

• You will need to open (and close) the Guacamole menu by typing ctrl+alt+shift for Windows or ctrl+command+shift for MAC.
• Paste your text into the window, and select Text input as the Input method.

• Right-click on the desktop where you want to past and click “paste” or “paste from clipboard” depending on which option is available.

Task 4: Check Juice Shop

Start Kali RDP

From your Terraform Outputs in Task 2 you should have seen gotten the Public IP address of Ubnutu.

• By default, Juice shop listens on port 3000. In your favorite browser, type http://<ubuntu-ip>:3000
• You should see a screen like below:

• You can now proceed to the next module

Task 1: Onboard Application

Add Application

1. Open the Applications view from top left menu bar, and then click, on + ADD APPLICATION

   

2. Tab 1: “WEBSITE”

   • In Web Application Name enter your FortiWeb Cloud StudentID number which you used to login to FortiWeb Cloud (found at the top right corner of the FortiWeb Cloud Screen).
   Info

   For example, if your FortiWeb Cloud User is CSEAccount669@fortinetcloud.onmicrosoft.com, your Student ID would be: 669

   • For Domain Name use <studentId>.fwebtraincse.com and then select next

3. Tab 2: Network,

   • unselect “HTTP” as we want to force users to interact with FortiWeb using only HTTPS.
   • For IP Address or FQDN enter the JuiceShop Public IP (which is the Ubuntu VM Public IP from your Terraform Output)
   • For Port enter “3000”
   • Select HTTP for Server Protocol. This is Juice Shop and it is NOT secure
   • Click on Test Origin Server You should see a green box pop up that says “Test successfully”
   • Choose Next

4. Tab 3: CDN

   No Changes. You will notice the Selected WAF Region shows the Platform “Google Cloud Platform” and the Region.

   Info

   FortiWeb Cloud automatically chooses the platform and region based on the IP Address of the application. There is no user intervention required.

   • Select Next

5. Tab 4: “SETTING”

   • DO NOT enable Block Mode

   • Select Save

6. Tab 5: “CHANGE DNS”

   We are presented with very important information regarding DNS settings which need to be changed in order to direct traffic to FortiWeb Cloud. In this lab, we will not be doing this, as sometimes it can take a while for the DNS settings to propagate.

   Warning

   Take Note of the IPv4 addresses and CNAME for use in a later step. Before you close!

   • Select Close

7. You should now see your Application listed in FortiWeb Cloud. Note that the DNS Status is set to Update Pending This is expected, and we will ignore it.

   Note

   If you need to recover the application IPs or CNAME later, you can click on the app’s DNS status Update Pending to show DNS status & retrieve the IPs

   

Task 2: Secure Cloud Infrastructure

This lab was originally bootstrapped with an ingress firewall rule which allows all ports and protocols from all sources (0.0.0.0/0). This is not a best practice. It is recommended, to only allow necessary ports and/or sources. Now that we have onboarded our application, we want to ensure that the only device that can communicate with our application is FortiWeb Cloud.

Task 1: Modify Azure Network Firewall Rules

1. In the FortiWeb Cloud UI, Copy the IPs which FortiWeb Cloud will use to communicate with your application. From the FortiWeb Cloud Applications page, select Allow IP List from the top of the page. This will open a dialog showing Management and Scrubbing Center Addresses. Click on Copy to Clipboard. Paste these IPs into a text document and then click Return

   

2. In Azure cloud shell, verify you’re in the terraform folder or navigate to it by typing cd fortiweb-security-foundations-201/terraform/

3. Make a copy of our ubuntu.tf file so that we can come back to it later if needed.

   • at the prompt, type cp ubuntu.tf ubuntu.tf.bak

4. Use nano to open and edit the ubuntu terraform file

   

   Info

   In order to Navigate within nano, use the up, down, left and right arrow keys. Use backspace to delete and type in the text you want to replace it with. When you are ready to save type ctrl+o then enter (to save to the same filename). Then type ctrl+x to exit.

   

5. Navigate to the security rule named allow-juice-inbound. Note currently, the rule allows all source addresses.

   

6. We are going to modify the source_address_prefix entry and replace it with the list of FortiWeb Cloud IPs captured in the step one above

   • For example: source_address_prefixes = ["3.226.2.163", "3.123.68.65", "52.179.7.200", "20.127.74.103", "20.127.74.161", "20.127.74.143", "20.228.249.214", "52.179.3.225"]

   • Save the file with ctrl+o then enter (to save to the same filename)

   • Exit Nano with ctrl+x

   • When you are done you can verify your changes with more ubuntu.tf

     

7. Now we will apply these changes by typing terraform apply -var="username=$(whoami)" --auto-approve

8. When this is completed you will see terraform removed both security rules and added the new ones in their place.

   Terraform will perform the following actions:
   
     # azurerm_network_security_group.ubu-nsg will be updated in-place
     ~ resource "azurerm_network_security_group" "ubu-nsg" {
           id                  = "/subscriptions/02b50049-c444-416f-a126-3e4c815501ac/resourceGroups/web10-http101-workshop/providers/Microsoft.Network/networkSecurityGroups/web10-ubu_nsg"
           name                = "web10-ubu_nsg"
         ~ security_rule       = [
             - {
                 - access                                     = "Allow"
                 - destination_address_prefix                 = "*"
                 - destination_address_prefixes               = []
                 - destination_application_security_group_ids = []
                 - destination_port_range                     = "22"
                 - destination_port_ranges                    = []
                 - direction                                  = "Inbound"
                 - name                                       = "allow-ssh-inbound"
                 - priority                                   = 101
                 - protocol                                   = "Tcp"
                 - source_address_prefix                      = "*"
                 - source_address_prefixes                    = []
                 - source_application_security_group_ids      = []
                 - source_port_range                          = "*"
                 - source_port_ranges                         = []
                   # (1 unchanged attribute hidden)
               },
             - {
                 - access                                     = "Allow"
                 - destination_address_prefix                 = "*"
                 - destination_address_prefixes               = []
                 - destination_application_security_group_ids = []
                 - destination_port_range                     = "3000"
                 - destination_port_ranges                    = []
                 - direction                                  = "Inbound"
                 - name                                       = "allow-juice-inbound"
                 - priority                                   = 102
                 - protocol                                   = "Tcp"
                 - source_address_prefix                      = "*"
                 - source_address_prefixes                    = []
                 - source_application_security_group_ids      = []
                 - source_port_range                          = "*"
                 - source_port_ranges                         = []
                   # (1 unchanged attribute hidden)
               },
             + {
                 + access                                     = "Allow"
                 + destination_address_prefix                 = "*"
                 + destination_address_prefixes               = []
                 + destination_application_security_group_ids = []
                 + destination_port_range                     = "3000"
                 + destination_port_ranges                    = []
                 + direction                                  = "Inbound"
                 + name                                       = "allow-juice-inbound"
                 + priority                                   = 102
                 + protocol                                   = "Tcp"
                 + source_address_prefixes                    = [
                     + "3.123.68.65",
                     + "3.226.2.163",
                     + "34.138.149.79",
                     + "34.148.6.49",
                     + "34.74.199.185",
                     + "35.185.18.199",
                     + "35.227.112.86",
                     + "35.227.32.42",
                   ]
                 + source_application_security_group_ids      = []
                 + source_port_range                          = "*"
                 + source_port_ranges                         = []
                   # (2 unchanged attributes hidden)
               },
             + {
                 + access                                     = "Allow"
                 + destination_address_prefix                 = "*"
                 + destination_address_prefixes               = []
                 + destination_application_security_group_ids = []
                 + destination_port_range                     = "22"
                 + destination_port_ranges                    = []
                 + direction                                  = "Inbound"
                 + name                                       = "allow-ssh-inbound"
                 + priority                                   = 101
                 + protocol                                   = "Tcp"
                 + source_address_prefix                      = "*"
                 + source_address_prefixes                    = []
                 + source_application_security_group_ids      = []
                 + source_port_range                          = "*"
                 + source_port_ranges                         = []
               },
           ]
           tags                = {}
           # (2 unchanged attributes hidden)
       }
   
   Plan: 0 to add, 1 to change, 0 to destroy.
   azurerm_network_security_group.ubu-nsg: Modifying... [id=/subscriptions/02b50049-c444-416f-a126-3e4c815501ac/resourceGroups/web10-http101-workshop/providers/Microsoft.Network/networkSecurityGroups/web10-ubu_nsg]
   azurerm_network_security_group.ubu-nsg: Modifications complete after 2s [id=/subscriptions/02b50049-c444-416f-a126-3e4c815501ac/resourceGroups/web10-http101-workshop/providers/Microsoft.Network/networkSecurityGroups/web10-ubu_nsg]
   
   Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

9. You can verify this change in the Azure Portal as well.

   • From the home screen in Azure, search in the top middle bar for ubu_nsg

   • You will find a Network Security Group with a name corresponding to your Azure Account ID like web10-ubu_nsg. Click to view it

     

10. You should be able to see the updated security rule.

11. Now try to navigate to the Juice Shop Application from your laptop by typing http://<ubuntu ip>:3000 in your favorite browser.
    • You should NOT be able to access Juice Shop Directly.

Application Protection Review

Review

In this module, we onboarded our application into FortiWeb Cloud using the GUI. We also used the built-in firewall rules in our GCP Virtual Private Cloud Network to lock down access to the origin server such that only traffic from FortiWeb Cloud will be accepted.

Application Protection Quiz

1. What is the final step for onboarding a Web Application in FortiWeb Cloud?

   Click here for answer

   Change the DNS Record. While we did not perform this step for the purposes of this lab. In a production environment, the final step to onboarding your application is to change either the CNAME or A record for your application such that all traffic is directed towards FortiWeb Cloud.

2. You must use TLS on port 443 to communicate from FortiWeb Cloud to your origin server. (True or False)

   Click here for answer

   False: While it is highly recommended to use TLS for the connection from FortiWeb Cloud to the origin server, as we saw in the lab, the server protocol and port are configurable.

3. Why are we no longer able to browse directly to Juice Shop App

   Click here for answer

   We modified the Azure Network Security group applied to the Juice Shop VM, only allowing FortiWeb Cloud source IP addresses

Task 1: Perform a simple SQL injection attack

1. Log into Kali linux: https://{{Kali IP}}:8443

2. To avoid any DNS problems during this workshop, we’ll create a static hosts file entry on the Kali Box to resolve our FortiWeb Cloud protected application

   • Open the terminal emulator by clicking on the black box at the bottom of the Kali Home screen. At the prompt, type:

   bash
   sudo nano /etc/hosts

3. When the host file opens, add the following 2 lines to the bottom of the file, and save it.

   • Be sure to substitute your FortiWeb Student ID in the fields

   • To save the entries use: ctrl+o then enter (to save to the same filename).

   • To exit Nano: type ctrl+x

     20.88.164.117    <FortiWebStudentID>.fwebtraincse.com
     20.88.164.125    <FortiWebStudentID>.fwebtraincse.com

     

4. Navigate to the Firefox browser (located at the top of Kali desktop) and enter our FortiWeb Cloud Protected Juice Shop URL into the navigation bar https://<FortiWebStudentID>.fwebtraincse.com. Accept warnings and proceed to the application

   

5. Let’s perform a very simple SQLi attack. To perform a SQLi attack append ?name=' OR 'x'='x to your URL. Be sure that you use YOUR NUMBER.

   • For example (be sure to use your studentId)
     • https://669.fwebtraincse.com/?name=' OR 'x'='x
       Info

       The attack will go through, and you will see the Juice Shop Home page
       

Task 2: Enable FortiWeb Block Mode

1. Enable Block Mode on FortiWeb Cloud

   On the Applications page enable block mode by clicking on the Block Mode button

   

   Warning

   It can take two to three minutes for changes to take effect in FortiWeb Cloud
   

2. Repeat the same step to perform SQLi attack in the browser.

   • For example (be sure to use your studentId)
     • https://669.fwebtraincse.com/?name=' OR 'x'='x
   Info

   You will see that FortiWeb now blocks the SQLi attack.
   

   

3. Now clicking on the Application Name in FortiWeb Cloud to navigate to our application page.

   • This should take you to the Application Dashboard.
   • You should see a Threat listed in the OWASP Top 10 Threats box called A03:2021-Injection. Click on it.

   

4. Navigate through some of the tabs.

   

5. On the Threats tab, click on the Threat.

   • In this case Known Attacks.
   • This will take you to a list showing dates when this type of attack was encountered.
   • If you click on the Arrow next to the date, more information about that incident can be seen.
   • Spend some time clicking around on the Clickable links in this output.

     • There is a lot of information available from here, including a link to the OWASP Top 10 site describing this attack as well as HTTP header information and matched patterns.

       

Task 3: Explore FortiWeb Options

FortiWeb Cloud Options

In the previous task, we simply turned on Block Mode in FortiWeb Cloud. This enabled the default, minimum security configuration. Take a moment now to click through some of the menu options on the left to see what Features are enabled by default. We will also look at how to enable new features.

1. Navigate to Security Rules on the left menu and click on Known Attacks to see what features are turned on. The first category is Signature Based Detection. Click the Search Signature button on the right and search for the injection Keyword.

   

2. On the left menu, click through the available menus for Access Rules, Bot Mitigation and DDOS Prevention

3. Vulnerability Scan is an add-on paid service that can be added to FortiWeb Cloud, which will scan your protected Applications for OWASP Top 10 vulnerabilities.

   Info

   More information can be found in the docs at:
   https://docs.fortinet.com/document/fortiweb-cloud/23.3.0/user-guide/898181/vulnerability-scan
   

4. Next Click on + Add Modules. This is where we can activate additional security features. These features are all covered under the FortiWeb Cloud WAF-as-a-Service License, which is billed based on the number of websites protected and the average Mbps throughput in aggregate for all protected sites.

   Info

   FortiWeb Cloud Datasheet:
   https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/fortiweb-cloud.pdf
   

SQLi Review

Review

In this module, we performed a very simple SQL injection attack an highlighted how FortiWeb Cloud protects applications from them.

SQLi Review Quiz

1. FortiWeb Cloud is in Block Mode by default. (True or False)

   Click here for answer

   False - You can enable block mode during application onboarding, but it is not active by default.

2. What do you have to configure on FortiWeb Cloud in order to enable protection from basic Known Attacks?

   Click here for answer

   When Block mode is enabled, the minimum security configuration, including Known Attacks is already in place.

3. Vulnerability scan is available by default. (True or False)

   Click here for answer

   FALSE - Vulnerability scan is an add-on paid service, which must be purchased separately.

Task 1: Find Vulnerability with Burpsuite

Burp Suite gives us a quick and easy way to query targeted sites.

1. Open a terminal window from your Kali desktop, and type:

   burpsuite

2. Burp Suite will pop up. Accept all warnings and EULAs. Leave Temporary Project selected and click Next

   

3. Leave “Use Burp defaults” selected and click Start Burp.

   

4. Accept the warning that Burp Suite is out of date and then select settings at the top right of the screen.

   

5. In the settings menu, select Burp’s browser. Under Browser running check the box for “Allow Burp’s browser without a sandbox”

   

   Note

   Once the button is clicked, just close the settings menu. There is no need to save.

6. Click on the Proxy tab at the top of the Burp Suite screen. This will bring you to the Intercept screen. Click on Open Browser.

   

   • Click Continue and then continue to NOT use a password for Burpsuite password encryption
     • 
     • 

7. In the browser URL bar, input https://<FortiWebStudentID>.fwebtraincse.com and hit enter. This will bring you to the juice shop home page.

8. Minimize the browser and go back to the Burpsuite console and click on the HTTP History tab under Proxy.

   • Scroll down the list until you find a URL labeled "/rest/products/search?q=.
   • Select this line and right click. Then click on Send to Repeater.
   • This will allow us to manipulate the requests in order to do a little nefarious recon.

   

9. At the top of Burp Suite, Click on the Repeater Tab.

   • You will see the request we just sent.
   • Now click on the Send Button. This will populate the Response area.

   

10. Now we are going to modify our query a bit. We will intentionally send an incomplete input in order to generate an error.

    • Click on the First line in the Raw request and append '-- to the end of the GET request.
    • The GET should now look like /rest/products/search?q='---. Click Send.
    • We will now see an error in the Response section.
      • This error tells us that the database is SQLITE and uncovers a vulnerability.

    

    Info

    It's worth mentioning that the standard signature based Web Protection Profile did not catch this attempt. 
    - If Machine Learning were enabled, this would not have succeeded.  
      - Instead, it would have been identified as an anomaly and then passed to the threat engine where it would have been identified as an SQL Injection attempt.  
      - We are not using ML in this lab, as the number of samples required to train the Model would be time prohibitive
    

Task 2: Use SQLMAP to find vulnerability

Now that we know what the Database type is, we can use sqlmap to see if we can get some “Juicy” information (pun intended). You could just run SQLMAP initially to find the vulnerability, but It would take much longer without an idea of what you were looking for.

1. Open a new terminal on Kali, and take a look at the SQLmap help page.

   • It’s helpful to use bash shell here, as we will want to be able to use the up arrow in order to scroll though historical commands

   bash
   sqlmap -h

   Warning

   Answer yes to install SQLMap, and accept all defaults to restart services

2. Now we will attempt to discover what type of SQL injection vulnerabilities exist.

   • Since we know that the database runs on sqlite we can shorten the scan time by giving sqlmap that information.
   • Input the first line below at the terminal, substituting your URL. Make sure to change in the URL below to your student number

   sqlmap -u "https://<FortiWebStudentID>.fwebtraincse.com/rest/products/search?q=" --dbms=SQLite --technique=B --level 3 --batch

   Info

   This attempt will fail with an HTTP 403 error , due to the default protections offered by FortiWeb.

   As a best practice, FortiWeb ML protections in production environments prevent reconnaissance with tools like sqlmap

   

3. Disable Block Mode on your application in FortiWeb Cloud

   

4. Re-run the sqlmap attempt. You will see that some vulnerabilities were found.

   

   Warning

   Please re-enable block mode for your application before moving forward.

Task 3: CSRF attack

A Cross-Site Request Forgery (CSRF) attack is a type of security exploit where an attacker tricks a user into performing actions on a web application without their consent. This can happen when a malicious website, email, or other online resource causes the user’s web browser to perform an unwanted action on a different site where the user is authenticated.

1. Let’s generate a CSRF attack with Burpsuite.

2. Repeat Step 1-5 from Task 1 to open Burpsuite. if Burpsuite is already running in the background just click to go back to at by clicking on the top left corner of Kali linux.

3. On the proxy tab, Click on Open Browser

   

4. Type the FQDN allocated: https://<studentId>.fwebtraincse.com into the browser.

   

5. Once the Juiceshop app loads, click on Account > Login.

   Note

   If you don’t see Account in top right bar, you may have to expand the browser window

   

6. Create a user login by clicking on Not Yet a customer? at the bottom.

   

7. Make sure to use the same email and credentials as below just so we won’t forget.

   • email: test@example.com

   • password: test1234$

   • Repeat Password: test1234$

   • Security Question: Select Your eldest sibling’s middle name from dropdown.

   • Answer: botman

   • Click on register

   

8. Login using the credentials above.

   

   

9. Once logged in clik on Account > Privacy and Security > Change Password.

   • Current password: test1234$

   • New Password: password1234$

   • Repeat New Password: password1234$

   • Click Change

   

10. Once changed we can see your password was successfully changed dialog.

    

11. Go back to Burpsuite > Proxy > HTTP History and Scroll down to the end to see the last HTTP call made which is the /rest/user/change-password. Right-click on the change-password GET call and select send to repeater.

    

    

12. Click on the Repeater tab to see the change password request. The Raw request shows the current password and new password we updated.

    

13. Execute a Cross Site Request Forgery password change attack!

    • Remove the current password field from the request
    • Update the request to reflect only new and repeat password using: hello1234$
    • Your request should look like below:
    • Click Send after the request is updated.

14. Response is a 200 OK meaning that call is successful.

    

15. Verify by going back to juiceshop, account login. Logout if already logged in.

    

16. Account > login

    • email: test@example.com
    • password: hello1234$
    • Click Log In

    

    As we can see with successfully login using the new credentials, our CSRF attack was successful!

17. Now login to FortiWeb Cloud

    • Be sure to click on your allocated application.

18. Scroll down to Add modules at the bottom. Add CSRF protection under Client Security Module and click OK

    

    

19. In the Application View > Client Security > Click on CSRF Protection.

    • On both Page List Table AND URL List Table, Add the URL /rest/user/change-password
    • Update the Action to Alert and Deny and click Save. the Module takes ~3 minutes to be in effect.

    

    

20. Once done, repeat the attack again with Password of your choice, and you should see a block message.

    

21. On FortiWeb cloud, Threat Analytics > Attack Logs > There is a CSRF attack log.

    

Additional Attacks Review

Review

In this module, we used Burpsuite and SQLMap to both discover and exploit vulnerabilities in Juice Shop.

Application Protection Quiz

1. There is no reason to send an invalid request on purpose. (True or False)

   Click here for answer

   False - As we saw in task 1, we can gain valuable information about the server from the error messages returned.

2. Why does it matter that an attacker knows the software library associated with a website’s database?

   Click here for answer

   With this information, an attacker can greatly narrow their reconnaissance efforts, and focus on weaponization much more quickly.

3. What type of security is FortiWeb Cloud’s Cross Site Request Forgery protection?

   Click here for answer

   Clien Security - This type of security is designed to prevent compromised clients from accessing sensitive data.

Task 1: Call API with Postman

1. Open postman by opening a new terminal (not bash) and type Postman at the prompt. This should start the postman application.
   Warning

   If Postman doesn’t open, it’s likely due to the terminal still using Bash. To exit bash, simply type sh

• When postman opens, select Continue without an account
• Now select Open Lightweight API Client

2. Now, let’s make an HTTP GET API call to search for Apple Juice. Use the following URL, ensuring you replace your studentID.

   https://<studentID>.fwebtraincse.com/rest/products/search?q=Apple

3. Now the Call should go through an you should see a status 200 and returned data.

   

Task 2: Setup API Gateway

Setup API Gateway

1. From the FortiWeb Cloud Console select your application and in the left pane, select ADD MODULES. Scroll down and turn on API Gateway under API Protection.

   

2. Now API PROTECTION should show up on the left side of the screen. Under API PROTECTION, select API Gateway

3. Click to Create an API User. Add a Name and Email address Then Click OK

   

4. Next click Create API Gateway Rule.

   • Name: choose a name such as rest
   • For both “Frontend” and “Backend”, enter /rest/ then click Add URL Prefix
   • turn on API Key Verification
   • choose HTTP Header for API Key In
   • for Header Field Name enter apikey
   • for Allow Users, select the user you created in step 3
   • leave the Rate limits at default
   • select OK

5. You will need to click Save at the bottom right. Now you should have an API key. Click on the eye icon to display the key. Copy it and put it into a note pad.

   

6. Ensure that the action is set to Alert & Deny and then click Save

   

Test API gateway

1. Back on Kali Desktop, In Postman, click Send again to re-test your api call. It should return status 403 and return a long error page ending with “Please contact the administrator…”

   

2. Now, let’s add a key

   • select Headers under the URL bar.
   • enter apikey for Key
   • enter the previously copied key for Value
   • click the empty box next to apikey to send this header
   • click Send

   You should see code 200 and returned data.

   

Task 3: Schema Protection

Open API Validation/Schema protection

In this task, we will explore the open API/Swagger based schema protection with FortiWeb Cloud. Swagger, now known as the OpenAPI Specification (OAS), is a framework for API development that allows developers to design, build, document, and consume RESTful web services.

example of Swagger: https://petstore.swagger.io/

FortiWeb can validate incoming requests against your OpenAPI schema to ensure they conform to the defined structure and data types. This helps prevent injection attacks and other malicious activities.

1. Download the juiceshop schema file to your local machine by clicking on URL below.

   https://juiceshopswagger.blob.core.windows.net/juiceshopswagger/swagger.yaml?sp=r&st=2024-08-06T16:05:20Z&se=2024-11-09T01:05:20Z&spr=https&sv=2022-11-02&sr=b&sig=F8TWuKSH430782%2FgJBWLhCQuEDK2101CChRkXx4XdU0%3D

2. From the FortiWeb Cloud Console left pane, select ADD MODULES. Scroll down and turn on under API Protection to add OPEN API VALIDATION

   

3. In the API protection module, click on Open API validation > Create OpenAPI Validation Rule.

   

4. Click on “choose file” to upload the file downloaded in Step 1, Click OK.

   Warning

   On some systems (macOS), the file may download with a .yml extension, giving you an error upon attempting to upload. In this case, simply rename the file with .yaml extension before uploading to FortiWeb OpenAPI Validation rule

   

5. Don’t forget to Save at the bottom.

   

   Warning

   If for some reason you are logged out when you click save here, you will need to log back in using this link https://customersso1.fortinet.com/saml-idp/proxy/demo_sallam_okta/login and the credentials received in the original email. You will need to repeat steps 1 through 5.

6. Back on Kali Desktop in Postman

   • We will send a POST request to the URL we have documented in Schema.

   • Create a new request with the + button in the top bar.

   • Change “GET” to “POST”, for URL use: https://<FortiWebStudentID>.fwebtraincse.com/b2b/v2/orders

     • Be sure to replace your Student ID in the URL!

   • To enter Request body, Click on Body > Raw > JSON and paste the following:

     {
       "cid": "testing",
       "orderLines": [
         {
           "productId": "testing",
           "quantity": 500,
           "customerReference": 1
         }
       ],
       "orderLinesData": "[{\"productId\": 12,\"quantity\": 10000,\"customerReference\": [\"PO0000001.2\", \"SM20180105|042\"],\"couponCode\": \"pes[Bh.u*t\"},{\"productId\": 13,\"quantity\": 2000,\"customerReference\": \"PO0000003.4\"}]"
     }

     

   • Note: The schema for Product ID is changed from Integer to String. the FortiWeb cloud Juiceshop schema we uploaded have this value defined as Integer.

   

   • Click on “SEND”

7. We will see “403 internal server error” with a FortiWeb cloud block message in HTML.

   

8. In FortiWeb Cloud on the left hand side of the screen go to Threat Analytics > Attack log > we can see a log generated for this block request to show the reason for block is Open API schema Violation.

   

API Protection Review

Review

In this module, used Postman to test FortiWeb Cloud’s API Gateway and schema validation features.

API Protection Quiz

1. What features besides user management and API key validation does FortiWeb Cloud’s API Gateway provide?

   Click here for answer

   Request rate limiting API call rewriting

2. What is the **human-readable data serialization language which is used to create schema validation files for FortiWeb Cloud?

   Click here for answer

   YAML Here is a link to an excellent YAML tutorial https://www.cloudbees.com/blog/yaml-tutorial-everything-you-need-get-started

3. What is the name of the feature that must be enabled in FortiWeb Cloud to enable schema validation?

   Click here for answer

   OpenAPI Validation

Task 1: Delete Your App

1. You are almost done! Please take a moment to delete only Your Application using the trashcan Icon on the right side of the application listing.

   

2. Please use the below link to log out of FortiCloud

   https://customersso1.fortinet.com/saml-idp/proxy/demo_sallam_okta/saml 

   Be sure to click the small blue Logout button at the bottom of the text.

Congratulations

Congratulations, you have successfully completed this lab! Your environment will automatically delete itself at the end of the allowed lab time.