FortWeb as a Service Machine Learning - API Protection

Introduction

Machine learning that automatically models your application's API tuning.

Especially useful for a business that doesn't have a web application security specialist or is unaware of Shadow APIs.

NOTE: For ML-API discovery, the http header Content-Type: application/json is required, without this header, ML-API will not discover the API Endpoints.

1. Onboarding your API application.

  • After you log in you will see the Applications view

  • Click the Add Application Button.

  • Name your Web Applcation: petstore# - # being your given number
  • Domain Name: petstore#.fortiworkshop.nl where # is your assigned number!

Add your network settings:

  • Enable HTTP
  • Enable HTTPS

Select Customise:

  • FQDN= originpetstore.fortiworkshop.nl
  • Port= 810# - where # is your given number, e.g. 8101 for User1, 8111 for User11
  • Server Protocol= HTTP

  • We won't be enabling CDN for this lab, just select NEXT

  • Enable Blocking Mode
  • Select Save

  • Email the DNS-sage administrator (dns-sage@fortiworkshop.nl), including all the technical details involved, and ask politely to make the CNAME record change for you.
    This part of the exercise is to make you familiar with the steps of DNS-based validation and the CNAME change.
    (The Sage DNS administrator appreciates a nice thank you, or a Gin & Tonic ;-)

  • Select close, your application is now in the "Update Pending" state.

  • Please be patient and wait for the email response informing you about the CNAME change status.
  • Refresh the screen till your DNS status changes to "OK".

2. Setup

  • Click on your petstore# in this example petstore1, this will open your Application Dashboard.

Note During the onboarding exercise we set the Site in Blocking Mode.

  • Disable Bot Mitigation and DDOS Prevention. This is done during the workshop, as we will be using crafted CURL scripts and commands to both build and test the API endpoints.
  • Check Machine Learning API Protection is enabled
  • Navigate to the ADD MODULES menu

  • Check Security Rules, Known Attacks are enabled
  • Navigate to the ADD MODULES menu

  • Sensitivity level for signatures

  • Known Attacks now include Sensitivity Levels. You can now choose from four categories of attack signatures (L1 to L4) based on their sensitivity to false positives and their requirement for a higher security level. Every level adds additional signatures thus increasing security but also the possibility of blocking legitimate traffic.

  • For this lab we will leave the sensitivity as Level 1, increasing the sensitivity levels increases the number of signatures used to test.

Additional information about Sensitivity Level

  • Choose from four categories of attack signatures (L1 to L4) based on their sensitivity to false positives and their requirement for a higher security level.

  • Increasing the level adds additional signatures but also adds the chance of blocking legitimate traffic. We recommend using the different levels according to the following rules:

    • Level 1: Baseline security with the least false positives. Use it if you are running an HTTP server on the internet.

    • Level 2: This level is adequate when real user data like user name and password is involved. Perhaps an off-the-shelf online shop.

    • Level 3: The online banking level security with lots of false positives, so it’s important to learn how to write rule exclusions.

    • Level 4: Rules that are so strong that they’re adequate to protect the top confidential data. Be sure you have enough time to process the false positives. Please expect that with this amount of false positives, the user experience might be greatly compromised.

Note: This setting also applies to the Server Information Disclosure and Personally Identifiable Information options in Information Leakage.

  • Enable Application Delivery -> Rewriting Request.

2. ML - API Protection

  • Navigate to API PROTECTION
  • Select MAP ML Based API Protection

  • ML API Protection is now ready to learn and discover the API.

  • You will currently have no API discovered.

  • Change the Model Settings to Alert & Deny, the Default is Alert.

  • Now we will create the ML-API by sending traffic to create, the newly discovered APIs.

3. ML-API Building

  • Log into your web server with SSH from your laptop on port 2222.
  • Replace # with your assigned attendee number.
    The password is fortinet

ssh -p 2222 user#@stepstone.fortiworkshop.nl

  • Run the following commands to start the API traffic generator tool.

petstore-get

petstore-post

Note: It can take up to 10 minutes to learn the new API Models, so please be patient.

API View

  • API Collection
    • To view newly discovered API, click the API View

  • You can display the full ML-API schema details by double-clicking on the GET Button for the GET Method entity "/api/pet/findbystatus"

  • The URL query parameter "status" is Required. This is mandatory for schema validation.

  • To download all or an individual API click the Download Button

  • Click which API you want to download

  • You chose whether you want to download either as a JSON or YAML file.

3.1 Schema-Based Protection

  • ML-API protection now supports schema protection on newly discovered API endpoints. To enable Schema protection, click the edit button.

  • By default schema protection is in Standby. Select Alert & Deny.

  • Above you can see FWB-Cloud ML-API is still in collecting mode.

  • Above when the Shield is shown, ML-API is now in running mode.

  • By selecting Alert & Deny, will now do schema enforcement based on the newly discovered endpoint.

  • Repeat, adding schema protection for the GET "/api/pet/findByStatus" endpoint.

  • Without enabling Schema Protection, you will need to export the schema and create an OpenAPI Validation Rule, see below for how to.

3.2 OpenAPI Validation Module

Note: Not required for this workshop.

  • Add OpenAPI Validation Module
  • Export the discovered API Endpoints in YAML format.
  • Import the YAML file to the OpenAPI Validation to protect the application with schema validation.

4. Launch API Attacks

Launch attacks against the ML-API model. This can be done either from your pc or from Stepstone.

Note: It may take a minute for Attacks to be displayed within the Attack Log. The Attack Log is now visible from Threat Analytics.

4.1 Query Parameter Violation

  • "status" JSON parameter is missing in the JSON request and is blocked by FortiWeb-Cloud. The expected result is a Request query validation failed status.

curl -v -X 'GET' 'https://petstore#.fortiworkshop.nl/api/pet/findByStatus?' -H 'Accept: application/json' -H 'Content-Type: application/json'

4.2 URL Query Parameter Long

  • "status" URL query parameter is too long. The expected result, JSON parameter length violation.

curl -v -X 'GET' 'https://petstore#.fortiworkshop.nl/api/pet/findByStatus?status=ABCDEFGHIJKL' -H 'Accept: application/json' -H 'Content-Type: application/json'

4.3 URL Query Parameter Short

  • "status" URL query parameter is too short. The expected result is a parameter violation.

curl -v -X 'GET' 'https://petstore#.fortiworkshop.nl/api/pet/findByStatus?status=A' -H 'Accept: application/json' -H 'Content-Type: application/json'

4.4 Cross Site Script in URL

  • "status" URL query parameter will carry a Command Injection attack. The expected result is a known signature violation.

curl -v -X 'GET' 'https://petstore#.fortiworkshop.nl/api/pet/findByStatus?status=<script>alert(123)</script>' -H 'Accept: application/json' -H 'Content-Type: application/json'

4.5 Cross Site Script in Body

  • "status" JSON body will carry an XSS attack. The expected result, the attack is being blocked by Machine Learning.

curl -v -X 'POST' 'https://petstore#.fortiworkshop.nl/api/pet' -H 'accept: application/json' -H 'Content-Type: application/json' -d '{"id": 111, "category": {"id": 111, "name": "Camel"}, "name": "FortiCamel", "photoUrls": ["WillUpdateLater"], "tags": [ {"id": 111, "name": "FortiCamel"}], "status": "<script>alert(123)</script>"}'

4.6 Zero Day Attacks

  • We will now use some sample Zero Day Attacks.

  • Cross Site Script in the Body

curl -v -X 'POST' 'https://petstore#.fortiworkshop.nl/api/pet' -H 'accept: application/json' -H 'Content-Type: application/json' -d '{"id": 111, "category": {"id": 111, "name": "Camel"}, "name": "javascript:qxss(X160135492Y1_1Z);", "photoUrls": ["WillUpdateLater"], "tags": [ {"id": 111, "name": "FortiCamel"}], "status": "available”}'

  • You can see the full details of the attack, where the attack pattern was matched.

  • SQL Injection in the Body

curl -v -X 'POST' 'https://petstore#.fortiworkshop.nl/api/pet' -H 'accept: application/json' -H 'Content-Type: application/json' -d '{"id": 111, "category": {"id": 111, "name": "Camel"}, "name": "concat(70-3).concat(22*4).concat(122).concat(71).concat(107).concat(77)", "photoUrls": ["WillUpdateLater"], "tags": [ {"id": 111, "name": "FortiCamel"}], "status": "available"}'

  • Remote Exploits in the Body.

curl -v -X 'POST' 'https://petstore#.fortiworkshop.nl/api/pet' -H 'accept: application/json' -H 'Content-Type: application/json' -d '{"id": 111, "category": {"id": 111, "name": "Camel"}, "name": "%X%X%X%X%X%", "photoUrls": ["WillUpdateLater"], "tags": [ {"id": 111, "name": "FortiCamel"}], "status": "available"}'

This workshop is now complete.