FortiWeb API-based Interaction
Introduction
FortiWeb Cloud provides a powerful and flexible RESTful API that allows developers to access and modify the settings of FortiWeb applications programmatically. By leveraging the API, you can integrate FortiWeb Cloud functionality into your own applications, automate tasks, and manage resources more efficiently.
The URLs that you use to access FortiWeb Cloud APIs follow the following format:
https://api.fortiweb-cloud.com/v2/application/{ep_id}/{module_name}/
| Variable | Description |
|---|---|
| {ep_id} | The ID of the application. For example, if the URL path is https://www.fortiweb-cloud.com/root/1111122222/dashboard, then 1111122222 is the ep_id. |
| {module_name} | Name of the FortiWeb Cloud module. For example, "known_attacks". |
Basic
GET PUT POST DELETE
Programs communicate with the API over HTTPS, the same protocol that your web browser uses to interact securely with web pages. The API is based on interactions with a web page. Data is treated like a static web page:
- Add data by POSTing a web page
- Fetch data by GETing a web page
- Update data by PUTing a web page
- Delete data by DELETEing a web page
After the FortiWeb Cloud API receives a request, it returns an HTTP response code:
- 200 - Successful
- 400 - Failure
For full detail please refer to here.
1. Postman Environment Setup
What is Postman?
Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs—faster.
You can get more detailed information here: https://www.postman.com/.
Before proceeding with the Lab, you will need to install Postman on your own laptop.
The installation file can be obtained from Postman websites as stated above.
You are required to sign up for a free account to use Postman, please do so!
1.1 Import API template
Once you have Postman installed, launched, and signed in, you will need to import the OpenAPI specification from FortiWeb Cloud.
The specification can be downloaded here.
Import the FortiWeb Cloud OpenAPI specification
Once imported successfully you will see the specification under the "Collections"
Postman also allows us to import the specification via URL, we will import the Swagger Petstore specification vis URL
- URL:
https://petstore.swagger.io/v2/swagger.json
1.2 Postman Environment
1.2.1 FortiWeb Cloud API Key
We need to generate the API Key first from FortiWeb Cloud. On FortiWeb Cloud go to: Global > System Settings > Settings
Under the API Key, click Create
The above is just for illustration, you will get a different API Key Secret when you create yours.
Make sure you copy and save the API Key Secret, we need this key to access FortiWeb Cloud Management API.
1.2.2 Postman Environment Variables
FortiWeb Cloud RESTful API requires API key authorization. All HTTP request to FortiWeb Cloud API needs the following header:
authorization: Basic <api-key-secret>
We will now set up Postman to include this authorization header on every request sent to FortiWeb Cloud API.
Create a new "Environment" on Postman we call it FortiWeb Cloud
Once the environment is created, we will create our first variable!
Following the following configuration:
- Variable: apiKey (Do not change this variable name as this is being referenced across FortiWeb Cloud API specification)
- Type: secret
- Initial value: Basic <your-api-key-secret>
- Current value: Basic <your-api-key-secret>
Note: Make sure "Basic" is included before the API Secret Key.
Remember to save it!
Let's verify that we have done it correctly. Select the "Get API Key List"
If you hover your mouse above the variable {{variable_name}} it will be able to show you the value configured.
There is also another way to verify this by clicking on the "Code Snippet" button
Let's try to fire the "Get API Key List" and see if we can retrieve it, just click on the Send button and verify the respond
If you see the 200 OK we are good to go!
1.3 Export Postman Code Snippet
Postman's Code Snippet is very useful, it will automatically help to format the request to the preferred code language
We can easily switch Code language and copy it out
This eases the integration for our customers if they wish to create their own portal to manage FortiWeb Cloud.
2. Retrieving Service Information
Now let's try out a few more queries since we have set up the environment properly.
2.1 Contracts
Default queries to obtain contract information will only return the remaining unused contract. For this workshop case, we have no more remaining contracts.
- Uncheck the "type" tick box under the Params
If you don't uncheck you will get the following response:
Once uncheck the Parameter "type" we can get all the contracts.
You can explore the response output.
2.2 Applications
Let's get the list of applications we have onboarded
2.3 Signature Based on CVE number
Try to retrieve the signatures that are related to CVE-2022-1361
3. Onboarding Application
If you already onboarded the Petstore on FortiWeb Cloud, you won't be able to onboard it again.
If you have not, you are welcome to try onboarding via API call.
Here is an example of how to onboard an application via API:
We will need to provide the content of the application that we want to onboard
Example:
{
"app_name": "Petstore4",
"domain_name": "petstore4.fortiworkshop.nl",
"extra_domains": [],
"custom_port":
{
"http": 80,
"https": 443
},
"cdn_status": 0,
"region": "europe-west3",
"platform": "GCP",
"block_mode": 0,
"service":
[
"http",
"https"
],
"server_address": "107.20.181.241",
"server_type": "http",
"port": 8104
}
Once you fire the API call, it will take a while for FortiWeb Cloud to create the application, once successful you will get the response
It will provide the CNAME that we need to have the DNS-Sage to update for the domain.
4. Modifying Application
To modify the Application specific configuration we will need to obtain the ep_id There are multiple ways to obtain this:
- Via the Dashboard of FortiWeb Cloud
- Via API call of "GET List Applications"
After you have obtained your ep_id you can create a variable for it.
Remember to save it!
4.1 Turning ON/OFF Block Mode
Now we will either turn ON or turn OFF Block Mode for our application
Let's make sure we have our ep_id set up properly
We need to configure whether we want to turn ON or turn OFF block mode. Need to adjust the Body of this query
Response from PUT we send to FortiWeb Cloud
You can verify this by logging in to FortiWeb Cloud Dashboard to check too.
5. Attacking via Postman
Postman can be used to demonstrate web attacks, compared to the cURL approach which is simpler and less error prone.
Before we can launch any attack via Postman to Petstore, we need to adjust the {baseUrl} variable for Swagger Petstore Collection.
Set the current value to the following:
Current Value: https://petstore#.fortiworkshop.nl
Replace # with your respective assigned number.
Remember to save it!
5.1 Command Injection
We are ready to launch some attack, we will include the command cmd.exe to the URL
Launch the attack!(Click on Send)
You should get a 403 response.
Check the FortiWeb Cloud attack log
5.2 XSS
Launch a Cross-Site Scripting attack and embedded it into the body of the request
Launch the attack!(Click on Send)
You should get a 403 response.
Check the FortiWeb Cloud attack log
This workshop is now complete.