From d1be9ac4df4ca680f25c2a29a7b5306fc7eb9c0c Mon Sep 17 00:00:00 2001 From: michaelwang Date: Sat, 9 Oct 2021 10:09:50 +0000 Subject: [PATCH 01/38] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20Lab-1-OWASP=20Top=20?= =?UTF-8?q?10=E9=98=B2=E6=8A=A4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Lab-1-OWASP Top 10\351\230\262\346\212\244/.keep" | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/.keep" diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/.keep" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/.keep" new file mode 100644 index 0000000..e69de29 -- Gitee From f463559f245caee69175c1511bf92381dc824e3a Mon Sep 17 00:00:00 2001 From: michaelwang Date: Sat, 9 Oct 2021 10:10:17 +0000 Subject: [PATCH 02/38] =?UTF-8?q?add=2011=20NGINX=20Web=E4=B8=8EAPI?= =?UTF-8?q?=E5=AE=89=E5=85=A8/Lab-1-OWASP=20Top=2010=E9=98=B2=E6=8A=A4/REA?= =?UTF-8?q?DME.md.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Lab-1-OWASP Top 10\351\230\262\346\212\244/README.md" | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/README.md" diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/README.md" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/README.md" new file mode 100644 index 0000000..e69de29 -- Gitee From a79390330301423895d2226b81b355d748b42d31 Mon Sep 17 00:00:00 2001 From: michaelwang Date: Sat, 9 Oct 2021 16:19:57 +0000 Subject: [PATCH 03/38] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20Lab-0-=E7=8E=AF?= =?UTF-8?q?=E5=A2=83=E6=90=AD=E5=BB=BA?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/.keep" | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/.keep" diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/.keep" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/.keep" new file mode 100644 index 0000000..e69de29 -- Gitee From 4753d15ceba50f0633ca25c73fb4c431ac7af745 Mon Sep 17 00:00:00 2001 From: michaelwang Date: Sat, 9 Oct 2021 16:22:00 +0000 Subject: [PATCH 04/38] =?UTF-8?q?Arcadia=E7=8E=AF=E5=A2=83=E6=90=AD?= =?UTF-8?q?=E5=BB=BA?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../1-README_Arcadia_Deployment.md" | 184 ++++++++++++++++++ 1 file changed, 184 insertions(+) create mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/1-README_Arcadia_Deployment.md" diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/1-README_Arcadia_Deployment.md" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/1-README_Arcadia_Deployment.md" new file mode 100644 index 0000000..2248fcb --- /dev/null +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/1-README_Arcadia_Deployment.md" @@ -0,0 +1,184 @@ +# OWASP Top 10防护 + + +# 部署Arcadia API Server + +## Arcadia环境说明 +本章节Arcadia API Server环境采用kubernetes部署。如已有API Server环境也可以选择自己的环境。 + +1. 拓扑架构 + +2. Kubernetes环境 + +3. Lab环境所需yaml配置文件: +``` +app-protect-log-config.yaml +app-protect-policy.yaml +arcadia-virtualserver.yaml +arcadia-services-nodeport.yaml +arcadia-deployments.yaml +arcadia-services-cluster-ip.yaml +waf-policy-dataguard.yaml +``` + + +## Kubenetes部署Arcadia应用 + +1. SSH命令行登陆Kubernetes + +2. 创建Lab文件夹并将所需文件导入该文件夹 +```bash +mkdir -p /home/ubuntu/lab-files/arcadia-manifests/ +``` +3. 部署Arcadia deployment +``` +kubectl apply -f /home/ubuntu/lab-files/arcadia-manifests/arcadia-deployments.yaml +``` + +可以看到部署成功,如下: +``` +deployment.apps/backend created +deployment.apps/main created +deployment.apps/app2 created +deployment.apps/app3 created +``` +--- +注: +``` +此时,Arcadia应用已经正在运行,但是还没有通过Kubernetes服务暴露。 +``` + + + +## 通过Kubenetes Nodeport暴露Arcadia应用 + +4. 通过Nodeport服务暴露应用 +``` +kubectl apply -f /home/ubuntu/lab-files/arcadia-manifests/arcadia-services-nodeport.yaml +``` +注:arcadia-services-nodeport.yaml配置如下: +```yaml +################################################################################################## +# FILES - BACKEND +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: backend + namespace: default + labels: + app: backend + service: backend +spec: + type: NodePort + ports: + - port: 80 + nodePort: 30584 + protocol: TCP + targetPort: 80 + name: backend-80 + selector: + app: backend +--- +################################################################################################## +# MAIN +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: main + namespace: default + labels: + app: main + service: main +spec: + type: NodePort + ports: + - name: main-80 + nodePort: 30585 + port: 80 + protocol: TCP + targetPort: 80 + selector: + app: main +--- +################################################################################################## +# APP2 +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: app2 + namespace: default + labels: + app: app2 + service: app2 +spec: + type: NodePort + ports: + - port: 80 + name: app2-80 + nodePort: 30586 + protocol: TCP + selector: + app: app2 +--- +################################################################################################## +# APP3 +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: app3 + namespace: default + labels: + app: app3 + service: app3 +spec: + type: NodePort + ports: + - port: 80 + name: app3-80 + nodePort: 30587 + selector: + app: app3 +``` +完成后,可以看到创建了4个服务,如下: +``` +service/backend created +service/main created +service/app2 created +service/app3 created +``` + +--- +注: +``` +此时Arcadia应用已经通过NodePort方式将BACKEND,MAIN,APP1,APP2和APP3这4个API服务暴露完成。 + +但是还未对这些API服务进行NAP防护。 +``` + +--- + +## 验证Arcadia应用运行状态 + +5. 浏览器访问http://centos.arcadia-finance.io/ + +可以正常打开,如图: + +![arcadia-centos](https://gitee.com/michaelwang19/reference/raw/master/Pictures/NGINX%20Training/arcadia-centos.png) + +6. 点击登陆Login,输入用户名和密码 + +用户名:matt + +密码:ilovef5 + +可以看到对应的4个服务(main, back, app2和app3),如图: + +![arcadia-login](https://gitee.com/michaelwang19/reference/blob/master/Pictures/NGINX%20Training/arcadia-login.png) + +--- +到达此关卡,说明Arcadia应用已经部署完成,并通过NGINX Plus代理发布成功。🍺🍺 +--- -- Gitee From 94bb2d018ab3cac2efb868c4da4c8953544078ec Mon Sep 17 00:00:00 2001 From: michaelwang Date: Sat, 9 Oct 2021 16:23:45 +0000 Subject: [PATCH 05/38] =?UTF-8?q?update=2011=20NGINX=20Web=E4=B8=8EAPI?= =?UTF-8?q?=E5=AE=89=E5=85=A8/Lab-0-=E7=8E=AF=E5=A2=83=E6=90=AD=E5=BB=BA/1?= =?UTF-8?q?-README=5FArcadia=5FDeployment.md.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../1-README_Arcadia_Deployment.md" | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/1-README_Arcadia_Deployment.md" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/1-README_Arcadia_Deployment.md" index 2248fcb..bb182b8 100644 --- "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/1-README_Arcadia_Deployment.md" +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/1-README_Arcadia_Deployment.md" @@ -177,7 +177,7 @@ service/app3 created 可以看到对应的4个服务(main, back, app2和app3),如图: -![arcadia-login](https://gitee.com/michaelwang19/reference/blob/master/Pictures/NGINX%20Training/arcadia-login.png) +![arcadia-login](https://gitee.com/michaelwang19/reference/raw/master/Pictures/NGINX%20Training/arcadia-login.png) --- 到达此关卡,说明Arcadia应用已经部署完成,并通过NGINX Plus代理发布成功。🍺🍺 -- Gitee From 125da10826b34c8bebe1e923c85f768ce854c851 Mon Sep 17 00:00:00 2001 From: michaelwang Date: Sat, 9 Oct 2021 16:24:12 +0000 Subject: [PATCH 06/38] =?UTF-8?q?update=2011=20NGINX=20Web=E4=B8=8EAPI?= =?UTF-8?q?=E5=AE=89=E5=85=A8/Lab-0-=E7=8E=AF=E5=A2=83=E6=90=AD=E5=BB=BA/1?= =?UTF-8?q?-README=5FArcadia=5FDeployment.md.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../1-README_Arcadia_Deployment.md" | 2 -- 1 file changed, 2 deletions(-) diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/1-README_Arcadia_Deployment.md" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/1-README_Arcadia_Deployment.md" index bb182b8..8cb91a9 100644 --- "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/1-README_Arcadia_Deployment.md" +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/1-README_Arcadia_Deployment.md" @@ -1,5 +1,3 @@ -# OWASP Top 10防护 - # 部署Arcadia API Server -- Gitee From 2fc6c8282d15600504444f81cb614aee89ab3e28 Mon Sep 17 00:00:00 2001 From: michaelwang Date: Sat, 9 Oct 2021 16:27:17 +0000 Subject: [PATCH 07/38] lab files --- .../app-protect-log-config.yaml" | 13 ++ .../app-protect-policy.yaml" | 25 ++++ .../arcadia-deployments.yaml" | 137 ++++++++++++++++++ .../arcadia-services-cluster-ip.yaml" | 79 ++++++++++ .../arcadia-services-nodeport.yaml" | 84 +++++++++++ .../arcadia-virtualserver.yaml" | 34 +++++ .../waf-policy-dataguard.yaml" | 12 ++ 7 files changed, 384 insertions(+) create mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/app-protect-log-config.yaml" create mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/app-protect-policy.yaml" create mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-deployments.yaml" create mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-services-cluster-ip.yaml" create mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-services-nodeport.yaml" create mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-virtualserver.yaml" create mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/waf-policy-dataguard.yaml" diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/app-protect-log-config.yaml" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/app-protect-log-config.yaml" new file mode 100644 index 0000000..0ffa031 --- /dev/null +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/app-protect-log-config.yaml" @@ -0,0 +1,13 @@ +--- +### App Protect Logs ### +apiVersion: appprotect.f5.com/v1beta1 +kind: APLogConf +metadata: + name: logconf +spec: + filter: + request_type: all + content: + format: default + max_request_size: any + max_message_size: 5k \ No newline at end of file diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/app-protect-policy.yaml" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/app-protect-policy.yaml" new file mode 100644 index 0000000..c43c11f --- /dev/null +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/app-protect-policy.yaml" @@ -0,0 +1,25 @@ +#### app-protect-policy.yaml ### +--- +apiVersion: appprotect.f5.com/v1beta1 +kind: APPolicy +metadata: + name: dataguard-blocking +spec: + policy: + name: dataguard_blocking + template: + name: POLICY_TEMPLATE_NGINX_BASE + applicationLanguage: utf-8 + enforcementMode: blocking + blocking-settings: + violations: + - name: VIOL_DATA_GUARD + alarm: true + block: true + data-guard: + enabled: true + maskData: true + creditCardNumbers: true + usSocialSecurityNumbers: true + enforcementMode: ignore-urls-in-list + enforcementUrls: [] \ No newline at end of file diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-deployments.yaml" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-deployments.yaml" new file mode 100644 index 0000000..38fe2ef --- /dev/null +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-deployments.yaml" @@ -0,0 +1,137 @@ +################################################################################################## +# FILES - BACKEND +################################################################################################## +apiVersion: apps/v1 +kind: Deployment +metadata: + name: backend + namespace: default + labels: + app: backend + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: backend + version: v1 + template: + metadata: + labels: + app: backend + version: v1 + spec: + containers: + - env: + - name: service_name + value: backend + image: registry.gitlab.com/arcadia-application/back-end/backend:latest + imagePullPolicy: IfNotPresent + name: backend + ports: + - containerPort: 80 + protocol: TCP +--- +################################################################################################## +# MAIN +################################################################################################## +apiVersion: apps/v1 +kind: Deployment +metadata: + name: main + namespace: default + labels: + app: main + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: main + version: v1 + template: + metadata: + labels: + app: main + version: v1 + spec: + containers: + - env: + - name: service_name + value: main + image: registry.gitlab.com/arcadia-application/main-app/mainapp:latest + imagePullPolicy: IfNotPresent + name: main + ports: + - containerPort: 80 + protocol: TCP +--- +################################################################################################## +# APP2 +################################################################################################## +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app2 + namespace: default + labels: + app: app2 + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: app2 + version: v1 + template: + metadata: + labels: + app: app2 + version: v1 + spec: + containers: + - env: + - name: service_name + value: app2 + image: registry.gitlab.com/arcadia-application/app2/app2:latest + imagePullPolicy: IfNotPresent + name: app2 + ports: + - containerPort: 80 + protocol: TCP +--- +################################################################################################## +# APP3 +################################################################################################## +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app3 + namespace: default + labels: + app: app3 + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: app3 + version: v1 + template: + metadata: + labels: + app: app3 + version: v1 + spec: + containers: + - env: + - name: service_name + value: app3 + image: registry.gitlab.com/arcadia-application/app3/app3:latest + imagePullPolicy: IfNotPresent + name: app3 + ports: + - containerPort: 80 + protocol: TCP + resources: {} +--- \ No newline at end of file diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-services-cluster-ip.yaml" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-services-cluster-ip.yaml" new file mode 100644 index 0000000..2c5ad01 --- /dev/null +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-services-cluster-ip.yaml" @@ -0,0 +1,79 @@ +################################################################################################## +# FILES - BACKEND +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: backend + namespace: default + labels: + app: backend + service: backend +spec: + type: ClusterIP + ports: + - port: 80 + protocol: TCP + targetPort: 80 + name: backend-80 + selector: + app: backend +--- +################################################################################################## +# MAIN +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: main + namespace: default + labels: + app: main + service: main +spec: + type: ClusterIP + ports: + - name: main-80 + port: 80 + protocol: TCP + targetPort: 80 + selector: + app: main +--- +################################################################################################## +# APP2 +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: app2 + namespace: default + labels: + app: app2 + service: app2 +spec: + type: ClusterIP + ports: + - port: 80 + name: app2-80 + selector: + app: app2 +--- +################################################################################################## +# APP3 +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: app3 + namespace: default + labels: + app: app3 + service: app3 +spec: + type: ClusterIP + ports: + - port: 80 + name: app3-80 + selector: + app: app3 \ No newline at end of file diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-services-nodeport.yaml" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-services-nodeport.yaml" new file mode 100644 index 0000000..c279f00 --- /dev/null +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-services-nodeport.yaml" @@ -0,0 +1,84 @@ +################################################################################################## +# FILES - BACKEND +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: backend + namespace: default + labels: + app: backend + service: backend +spec: + type: NodePort + ports: + - port: 80 + nodePort: 30584 + protocol: TCP + targetPort: 80 + name: backend-80 + selector: + app: backend +--- +################################################################################################## +# MAIN +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: main + namespace: default + labels: + app: main + service: main +spec: + type: NodePort + ports: + - name: main-80 + nodePort: 30585 + port: 80 + protocol: TCP + targetPort: 80 + selector: + app: main +--- +################################################################################################## +# APP2 +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: app2 + namespace: default + labels: + app: app2 + service: app2 +spec: + type: NodePort + ports: + - port: 80 + name: app2-80 + nodePort: 30586 + protocol: TCP + selector: + app: app2 +--- +################################################################################################## +# APP3 +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: app3 + namespace: default + labels: + app: app3 + service: app3 +spec: + type: NodePort + ports: + - port: 80 + name: app3-80 + nodePort: 30587 + selector: + app: app3 \ No newline at end of file diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-virtualserver.yaml" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-virtualserver.yaml" new file mode 100644 index 0000000..85bfd77 --- /dev/null +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-virtualserver.yaml" @@ -0,0 +1,34 @@ +apiVersion: k8s.nginx.org/v1 +kind: VirtualServer +metadata: + name: vs-arcadia +spec: + host: k8s.arcadia-finance.io + policies: + - name: waf-policy + upstreams: + - name: main + service: main + port: 80 + - name: backend + service: backend + port: 80 + - name: app2 + service: app2 + port: 80 + - name: app3 + service: app3 + port: 80 + routes: + - path: / + action: + pass: main + - path: /files + action: + pass: backend + - path: /api + action: + pass: app2 + - path: /app3 + action: + pass: app3 \ No newline at end of file diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/waf-policy-dataguard.yaml" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/waf-policy-dataguard.yaml" new file mode 100644 index 0000000..6af1286 --- /dev/null +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/waf-policy-dataguard.yaml" @@ -0,0 +1,12 @@ +apiVersion: k8s.nginx.org/v1 +kind: Policy +metadata: + name: waf-policy +spec: + waf: + enable: true + apPolicy: "default/dataguard-blocking" + securityLog: + enable: true + apLogConf: "default/logconf" + logDest: "syslog:server=10.1.20.11:5144" \ No newline at end of file -- Gitee From 65418f1b73b7d831bd9a7b328dd4cf1550725ae9 Mon Sep 17 00:00:00 2001 From: michaelwang Date: Sat, 9 Oct 2021 16:27:27 +0000 Subject: [PATCH 08/38] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=2011?= =?UTF-8?q?=20NGINX=20Web=E4=B8=8EAPI=E5=AE=89=E5=85=A8/Lab-0-=E7=8E=AF?= =?UTF-8?q?=E5=A2=83=E6=90=AD=E5=BB=BA/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/.keep" | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/.keep" diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/.keep" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/.keep" deleted file mode 100644 index e69de29..0000000 -- Gitee From 807fd00c9812f7463f86dd187c87e59f3466505e Mon Sep 17 00:00:00 2001 From: michaelwang Date: Sat, 9 Oct 2021 16:28:03 +0000 Subject: [PATCH 09/38] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=2011?= =?UTF-8?q?=20NGINX=20Web=E4=B8=8EAPI=E5=AE=89=E5=85=A8/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- "11 NGINX Web\344\270\216API\345\256\211\345\205\250/.keep" | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/.keep" diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/.keep" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/.keep" deleted file mode 100644 index e69de29..0000000 -- Gitee From af42a200ed833f2a8d06e7bc43efce2ea513798e Mon Sep 17 00:00:00 2001 From: michaelwang Date: Sat, 9 Oct 2021 16:30:13 +0000 Subject: [PATCH 10/38] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=2011?= =?UTF-8?q?=20NGINX=20Web=E4=B8=8EAPI=E5=AE=89=E5=85=A8/Lab-1-OWASP=20Top?= =?UTF-8?q?=2010=E9=98=B2=E6=8A=A4/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Lab-1-OWASP Top 10\351\230\262\346\212\244/.keep" | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/.keep" diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/.keep" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/.keep" deleted file mode 100644 index e69de29..0000000 -- Gitee From 86db2937f71a64d7201743e1abae777b896c930d Mon Sep 17 00:00:00 2001 From: michaelwang Date: Sat, 9 Oct 2021 16:30:50 +0000 Subject: [PATCH 11/38] NAP-Deployment --- .../2-README_NAP_Deployment.md" | 185 ++++++++++++++++++ 1 file changed, 185 insertions(+) create mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_NAP_Deployment.md" diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_NAP_Deployment.md" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_NAP_Deployment.md" new file mode 100644 index 0000000..22e8973 --- /dev/null +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_NAP_Deployment.md" @@ -0,0 +1,185 @@ +# 概述 + +NGINX App Protect(简称NAP)可以对web应用提供WAF防护功能,包括:OWASP Top 10,响应包检查,元字符检查,HTTP协议合规性检查,防逃逸技术,文件类型过滤,JSON、XML和gRPC检查,敏感参数防泄露等。 + +## 前提条件 +1. NGINX Plus Release 22 及更高版本支持 NGINX App Protect。 + +2. NGINX App Protect 支持以下操作系统: +- CentOS/RHEL 7.4.x及更高 +- Debian 9 - (从NGINX Plus R24开始弃用) +- Debian 10 +- Ubuntu 18.04 +- Ubuntu 20.04 +- Alpine 3.10 + +3. NGINX App Protect支持的部署环境如下: +- Linux主机 +- Docker +- Kubernetes Ingress Controller +- Cloud + +4. 申请好NGINX Plus测试许可。在自己试用账号门户站点里,下载好以下2个文件: +``` +nginx-repo.key +nginx-repo.crt +``` + +# Lab环境介绍 + +本章节演示和实验采用在CentOS虚机中部署NGINX App Protect环境,学员可根据自己实际情况准备实验环境。本环境中包含以下组件: + +## NGINX Plus反向代理服务器 +后面简称反代, + +## Web API Servers +使用Arcadia应用服务,通过GitLab下载安装:https://gitlab.com/arcadia-application + +## 测试客户端 +请预装以下软件,并且为了方便测试,建议在客户端hosts配置测试所用域名。 +- 浏览器 +- Postman +- Jmeter + +# CentOS 7.4+环境的NAP安装步骤 + +1. 如果前面章节的实验已有相关NGINX包,可以备份相关配置和日志 +```bash +sudo cp -a /etc/nginx /etc/nginx-plus-backup +sudo cp -a /var/log/nginx /var/log/nginx-plus-backup +``` +2. 创建/etc/ssl/nginx/目录和/etc/nginx/目录 +```bash +sudo mkdir -p /etc/ssl/nginx +sudo mkdir -p /etc/nginx +``` +3. 将以上《前提条件》中申请的测试许可从门户站点中下载好,并复制到/etc/ssl/nginx/目录下。 + +4. 安装必备软件包 +```bash +sudo yum install ca-certificates epel-release wget +``` +5. 添加NGINX Plus库 +```bash +sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-7.repo +``` +6.安装最新版本的NGINX App Protect软件包(包括NGINX Plus) +```bash +sudo yum install app-protect +``` +注:也可以通过以下命令列出可用版本: +```bash +sudo yum --showduplicates list app-protect +``` +从而选择指定版本进行安装,例如: +```bash +sudo yum install app-protect-20+2.52.1 +``` +7. 检查 NGINX 二进制版本以确保正确安装了 NGINX Plus +```bash +sudo nginx -v +``` +8. 配置nginx,以下二选一。 +- 可以将Gitee中<11 NGINX Web与API安全>目录下的nginx.conf文件拷贝至/etc/nginx/目录 +- 或者直接vi将如下配置文件内容粘贴至/etc/nginx/nginx.conf中: +```nginx +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; + +# load the app protect module +load_module modules/ngx_http_app_protect_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + # note that in the dockerfile, the logs are redirected to stdout and can be viewed with `docker logs` + access_log /var/log/nginx/access.log main; + + server { + listen 80; + server_name localhost; + proxy_http_version 1.1; + proxy_cache_bypass $http_upgrade; + + proxy_set_header Host $host; + + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_ignore_client_abort on; + + app_protect_enable on; + app_protect_security_log_enable on; + # send the logs to the logstash instance on our ELK stack. + app_protect_security_log "/etc/app_protect/conf/log_default.json" syslog:server=10.1.1.11:5144; + + # main service + location / { + resolver 10.1.1.8:5353; + resolver_timeout 5s; + client_max_body_size 0; + default_type text/html; + proxy_pass http://k8s.arcadia-finance.io:30585$request_uri; + } + + # backend service + location /files { + resolver 10.1.1.8:5353; + resolver_timeout 5s; + client_max_body_size 0; + default_type text/html; + proxy_pass http://k8s.arcadia-finance.io:30584$request_uri; + } + + # app2 service + location /api { + resolver 10.1.1.8:5353; + resolver_timeout 5s; + client_max_body_size 0; + default_type text/html; + proxy_pass http://k8s.arcadia-finance.io:30586$request_uri; + } + + # app2 service + location /app3 { + resolver 10.1.1.8:5353; + resolver_timeout 5s; + client_max_body_size 0; + default_type text/html; + proxy_pass http://k8s.arcadia-finance.io:30587$request_uri; + } + } +} +``` +9. 关闭SELinux,允许全局访问 +```bash +sudo setenforce 0 +``` +10. 启用并启动NGINX服务 +```bash +sudo systemctl enable --now nginx.service +``` +11. 检查运行是否正常 +```bash +systemctl status nginx +``` +可以看到nginx的服务已经是active的状态。 + +--- +至此,就完成了NAP的安装和初始化相关工作。🍺 +--- -- Gitee From 20eca05336b0c24e5b4e9a5f832e5a2e46e0176a Mon Sep 17 00:00:00 2001 From: michaelwang Date: Sat, 9 Oct 2021 16:30:57 +0000 Subject: [PATCH 12/38] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=2011?= =?UTF-8?q?=20NGINX=20Web=E4=B8=8EAPI=E5=AE=89=E5=85=A8/Lab-1-OWASP=20Top?= =?UTF-8?q?=2010=E9=98=B2=E6=8A=A4/README.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Lab-1-OWASP Top 10\351\230\262\346\212\244/README.md" | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/README.md" diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/README.md" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/README.md" deleted file mode 100644 index e69de29..0000000 -- Gitee From eb7a88b2a7addf1de9a36fb1d0892b66dd4a958f Mon Sep 17 00:00:00 2001 From: michaelwang Date: Sat, 9 Oct 2021 16:33:05 +0000 Subject: [PATCH 13/38] nginx config file --- .../nginx.conf" | 82 +++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/nginx.conf" diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/nginx.conf" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/nginx.conf" new file mode 100644 index 0000000..6f04469 --- /dev/null +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/nginx.conf" @@ -0,0 +1,82 @@ +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; + +# load the app protect module +load_module modules/ngx_http_app_protect_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + # note that in the dockerfile, the logs are redirected to stdout and can be viewed with `docker logs` + access_log /var/log/nginx/access.log main; + + server { + listen 80; + server_name localhost; + proxy_http_version 1.1; + proxy_cache_bypass $http_upgrade; + + proxy_set_header Host $host; + + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_ignore_client_abort on; + + app_protect_enable on; + app_protect_security_log_enable on; + # send the logs to the logstash instance on our ELK stack. + app_protect_security_log "/etc/app_protect/conf/log_default.json" syslog:server=10.1.1.11:5144; + + # main service + location / { + resolver 10.1.1.8:5353; + resolver_timeout 5s; + client_max_body_size 0; + default_type text/html; + proxy_pass http://k8s.arcadia-finance.io:30585$request_uri; + } + + # backend service + location /files { + resolver 10.1.1.8:5353; + resolver_timeout 5s; + client_max_body_size 0; + default_type text/html; + proxy_pass http://k8s.arcadia-finance.io:30584$request_uri; + } + + # app2 service + location /api { + resolver 10.1.1.8:5353; + resolver_timeout 5s; + client_max_body_size 0; + default_type text/html; + proxy_pass http://k8s.arcadia-finance.io:30586$request_uri; + } + + # app2 service + location /app3 { + resolver 10.1.1.8:5353; + resolver_timeout 5s; + client_max_body_size 0; + default_type text/html; + proxy_pass http://k8s.arcadia-finance.io:30587$request_uri; + } + } +} \ No newline at end of file -- Gitee From 2bf9ab30ed0490681b5a6cd60fdc951654a4e37a Mon Sep 17 00:00:00 2001 From: michaelwang Date: Sun, 10 Oct 2021 05:28:13 +0000 Subject: [PATCH 14/38] =?UTF-8?q?=E9=87=8D=E5=91=BD=E5=90=8D=2011=20NGINX?= =?UTF-8?q?=20Web=E4=B8=8EAPI=E5=AE=89=E5=85=A8/Lab-0-=E7=8E=AF=E5=A2=83?= =?UTF-8?q?=E6=90=AD=E5=BB=BA/1-README=5FArcadia=5FDeployment.md=20?= =?UTF-8?q?=E4=B8=BA=2011=20NGINX=20Web=E4=B8=8EAPI=E5=AE=89=E5=85=A8/Lab-?= =?UTF-8?q?0-=E7=8E=AF=E5=A2=83=E6=90=AD=E5=BB=BA/0-README=5FArcadia=5FDep?= =?UTF-8?q?loyment.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../0-README_Arcadia_Deployment.md" | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/1-README_Arcadia_Deployment.md" => "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/0-README_Arcadia_Deployment.md" (100%) diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/1-README_Arcadia_Deployment.md" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/0-README_Arcadia_Deployment.md" similarity index 100% rename from "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/1-README_Arcadia_Deployment.md" rename to "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/0-README_Arcadia_Deployment.md" -- Gitee From 7779e000bb50e647dee8f0e1f6f249764b677fbb Mon Sep 17 00:00:00 2001 From: michaelwang Date: Sun, 10 Oct 2021 08:24:27 +0000 Subject: [PATCH 15/38] OWASP Top 10 config files --- .../1-README_NAP_Deployment.md" | 185 ++++++ .../2-README_OWASP Top 10.md" | 534 ++++++++++++++++++ .../nginx_owasp_top10.conf" | 83 +++ .../policy_owasp_top10.json" | 86 +++ 4 files changed, 888 insertions(+) create mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/1-README_NAP_Deployment.md" create mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_OWASP Top 10.md" create mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/nginx_owasp_top10.conf" create mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/policy_owasp_top10.json" diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/1-README_NAP_Deployment.md" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/1-README_NAP_Deployment.md" new file mode 100644 index 0000000..22e8973 --- /dev/null +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/1-README_NAP_Deployment.md" @@ -0,0 +1,185 @@ +# 概述 + +NGINX App Protect(简称NAP)可以对web应用提供WAF防护功能,包括:OWASP Top 10,响应包检查,元字符检查,HTTP协议合规性检查,防逃逸技术,文件类型过滤,JSON、XML和gRPC检查,敏感参数防泄露等。 + +## 前提条件 +1. NGINX Plus Release 22 及更高版本支持 NGINX App Protect。 + +2. NGINX App Protect 支持以下操作系统: +- CentOS/RHEL 7.4.x及更高 +- Debian 9 - (从NGINX Plus R24开始弃用) +- Debian 10 +- Ubuntu 18.04 +- Ubuntu 20.04 +- Alpine 3.10 + +3. NGINX App Protect支持的部署环境如下: +- Linux主机 +- Docker +- Kubernetes Ingress Controller +- Cloud + +4. 申请好NGINX Plus测试许可。在自己试用账号门户站点里,下载好以下2个文件: +``` +nginx-repo.key +nginx-repo.crt +``` + +# Lab环境介绍 + +本章节演示和实验采用在CentOS虚机中部署NGINX App Protect环境,学员可根据自己实际情况准备实验环境。本环境中包含以下组件: + +## NGINX Plus反向代理服务器 +后面简称反代, + +## Web API Servers +使用Arcadia应用服务,通过GitLab下载安装:https://gitlab.com/arcadia-application + +## 测试客户端 +请预装以下软件,并且为了方便测试,建议在客户端hosts配置测试所用域名。 +- 浏览器 +- Postman +- Jmeter + +# CentOS 7.4+环境的NAP安装步骤 + +1. 如果前面章节的实验已有相关NGINX包,可以备份相关配置和日志 +```bash +sudo cp -a /etc/nginx /etc/nginx-plus-backup +sudo cp -a /var/log/nginx /var/log/nginx-plus-backup +``` +2. 创建/etc/ssl/nginx/目录和/etc/nginx/目录 +```bash +sudo mkdir -p /etc/ssl/nginx +sudo mkdir -p /etc/nginx +``` +3. 将以上《前提条件》中申请的测试许可从门户站点中下载好,并复制到/etc/ssl/nginx/目录下。 + +4. 安装必备软件包 +```bash +sudo yum install ca-certificates epel-release wget +``` +5. 添加NGINX Plus库 +```bash +sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-7.repo +``` +6.安装最新版本的NGINX App Protect软件包(包括NGINX Plus) +```bash +sudo yum install app-protect +``` +注:也可以通过以下命令列出可用版本: +```bash +sudo yum --showduplicates list app-protect +``` +从而选择指定版本进行安装,例如: +```bash +sudo yum install app-protect-20+2.52.1 +``` +7. 检查 NGINX 二进制版本以确保正确安装了 NGINX Plus +```bash +sudo nginx -v +``` +8. 配置nginx,以下二选一。 +- 可以将Gitee中<11 NGINX Web与API安全>目录下的nginx.conf文件拷贝至/etc/nginx/目录 +- 或者直接vi将如下配置文件内容粘贴至/etc/nginx/nginx.conf中: +```nginx +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; + +# load the app protect module +load_module modules/ngx_http_app_protect_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + # note that in the dockerfile, the logs are redirected to stdout and can be viewed with `docker logs` + access_log /var/log/nginx/access.log main; + + server { + listen 80; + server_name localhost; + proxy_http_version 1.1; + proxy_cache_bypass $http_upgrade; + + proxy_set_header Host $host; + + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_ignore_client_abort on; + + app_protect_enable on; + app_protect_security_log_enable on; + # send the logs to the logstash instance on our ELK stack. + app_protect_security_log "/etc/app_protect/conf/log_default.json" syslog:server=10.1.1.11:5144; + + # main service + location / { + resolver 10.1.1.8:5353; + resolver_timeout 5s; + client_max_body_size 0; + default_type text/html; + proxy_pass http://k8s.arcadia-finance.io:30585$request_uri; + } + + # backend service + location /files { + resolver 10.1.1.8:5353; + resolver_timeout 5s; + client_max_body_size 0; + default_type text/html; + proxy_pass http://k8s.arcadia-finance.io:30584$request_uri; + } + + # app2 service + location /api { + resolver 10.1.1.8:5353; + resolver_timeout 5s; + client_max_body_size 0; + default_type text/html; + proxy_pass http://k8s.arcadia-finance.io:30586$request_uri; + } + + # app2 service + location /app3 { + resolver 10.1.1.8:5353; + resolver_timeout 5s; + client_max_body_size 0; + default_type text/html; + proxy_pass http://k8s.arcadia-finance.io:30587$request_uri; + } + } +} +``` +9. 关闭SELinux,允许全局访问 +```bash +sudo setenforce 0 +``` +10. 启用并启动NGINX服务 +```bash +sudo systemctl enable --now nginx.service +``` +11. 检查运行是否正常 +```bash +systemctl status nginx +``` +可以看到nginx的服务已经是active的状态。 + +--- +至此,就完成了NAP的安装和初始化相关工作。🍺 +--- diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_OWASP Top 10.md" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_OWASP Top 10.md" new file mode 100644 index 0000000..ed53c2f --- /dev/null +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_OWASP Top 10.md" @@ -0,0 +1,534 @@ +# OWASP Top 10防护 + +## 相关配置文件列表 + +``` +nginx.conf +policy_owasp_top10.json +``` + + +# 测试工具 + +- 浏览器 +- 模拟攻击脚本规则 + +--- + +# 模拟攻击测试 + + +## SQL注入防护 + +1. 浏览器输入: +``` +http://centos.arcadia-finance.io/?hfsagrs=-1+union+select+user%2Cpassword+from+users+--+ +``` +2. 请求被NAP阻断,阻断信息及support ID: 18029559235433355204: + +![OWASP-Top-10-SQL注入]() + +3. 攻击防护相关log信息,可参考文件: + +```json + +{ + "_index": "waf-logs-2021.10.10", + "_type": "_doc", + "_id": "PkXKaHwBMIwAeeuRM3s4", + "_version": 1, + "_score": null, + "_source": { + "request_status": "blocked", + "severity": 2, + "bot_category": "Non-BOT", + "violation_details": "10000000200c00-3a03030c30000072477f0ffcbbd0fea-befbf35cb000007e0-00-042VIOL_ATTACK_SIGNATUREparameterglobalaGZzYWdycw==alpha-numericLTEgdW5pb24gc2VsZWN0IHVzZXIscGFzc3dvcmQgZnJvbSB1c2VycyAtLSA=*002000025532aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==8152000000733aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==11402000027362aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==9142000000822aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==17342000025532aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==8152000000733aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==11402000027362aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==9142000000822aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==1734", + "uri": "/", + "bot_signature_name": "N/A", + "violations": [ + "Attack signature detected", + "Violation Rating Threat detected" + ], + "ip_client": "10.1.1.13", + "src_port": "60422", + "message": "ASM:attack_type=\"Non-browser Client,SQL-Injection\",blocking_exception_reason=\"N/A\",date_time=\"2021-10-10 06:00:52\",dest_port=\"80\",ip_client=\"10.1.1.13\",is_truncated=\"false\",method=\"GET\",policy_name=\"app_protect_default_policy\",protocol=\"HTTP\",request_status=\"blocked\",response_code=\"0\",severity=\"Critical\",sig_cves=\"N/A\",sig_ids=\"200002553,200000073,200002736,200000082\",sig_names=\"SQL-INJ integer field UNION (Parameter),SQL-INJ \"\"UNION SELECT\"\" (Parameter),SQL-INJ ' UNION SELECT (Parameter)...\",sig_set_names=\"{SQL Injection Signatures},{High Accuracy Signatures;SQL Injection Signatures},{SQL Injection Signatures}...\",src_port=\"60422\",sub_violations=\"N/A\",support_id=\"18029559235433355204\",threat_campaign_names=\"N/A\",unit_hostname=\"c68206ac-6bd7-49d0-ad95-d7b1ccb15787\",uri=\"/\",violation_rating=\"5\",vs_name=\"26-localhost:1-/\",x_forwarded_for_header_value=\"N/A\",outcome=\"REJECTED\",outcome_reason=\"SECURITY_WAF_VIOLATION\",violations=\"Attack signature detected,Violation Rating Threat detected\",violation_details=\"10000000200c00-3a03030c30000072477f0ffcbbd0fea-befbf35cb000007e0-00-042VIOL_ATTACK_SIGNATUREparameterglobalaGZzYWdycw==alpha-numericLTEgdW5pb24gc2VsZWN0IHVzZXIscGFzc3dvcmQgZnJvbSB1c2VycyAtLSA=*002000025532aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==8152000000733aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==11402000027362aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==9142000000822aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==17342000025532aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==8152000000733aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==11402000027362aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==9142000000822aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==1734\",bot_signature_name=\"N/A\",bot_category=\"N/A\",bot_anomalies=\"N/A\",enforced_bot_anomalies=\"N/A\",client_class=\"Browser\",client_application=\"FireFox\",client_application_version=\"94\",request=\"GET /?hfsagrs=-1+union+select+user%2Cpassword+from+users+--+ HTTP/1.1\\r\\nHost: centos.arcadia-finance.io\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nConnection: keep-alive\\r\\nUpgrade-Insecure-Requests: 1\\r\\n\\r\\n\",transport_protocol=\"HTTP/1.1\"\r\n", + "sig_set_names": [ + "{SQL Injection Signatures}", + "{High Accuracy Signatures;SQL Injection Signatures}", + "{SQL Injection Signatures}..." + ], + "priority": 130, + "timestamp": "Oct 10 06:00:53", + "sig_cves": [ + "N/A" + ], + "x_forwarded_for_header_value": "N/A", + "source_host": "10.1.1.13", + "request": "GET /?hfsagrs=-1+union+select+user%2Cpassword+from+users+--+ HTTP/1.1\\r\\nHost: centos.arcadia-finance.io\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nConnection: keep-alive\\r\\nUpgrade-Insecure-Requests: 1\\r\\n\\r\\n", + "violation_rating": "5", + "geoip": {}, + "unit_hostname": "c68206ac-6bd7-49d0-ad95-d7b1ccb15787", + "dest_port": "80", + "outcome_reason": "SECURITY_WAF_VIOLATION", + "tags": [ + "waf", + "_geoip_lookup_failure" + ], + "host": "10.1.1.9", + "facility": 16, + "date_time": "2021-10-10 06:00:52", + "sub_violations": [ + "N/A" + ], + "logsource": "c68206ac-6bd7-49d0-ad95-d7b1ccb15787", + "facility_label": "local0", + "blocking_exception_reason": "N/A", + "@timestamp": "2021-10-10T06:00:53.000Z", + "severity_label": "Critical", + "is_truncated": "false", + "method": "GET", + "policy_name": "app_protect_default_policy", + "client_class": "Browser", + "protocol": "HTTP", + "support_id": "18029559235433355204", + "@version": "1", + "sig_ids": [ + "200002553", + "200000073", + "200002736", + "200000082" + ], + "vs_name": "26-localhost:1-/", + "outcome": "REJECTED", + "bot_anomalies": [ + "N/A" + ], + "response_code": "Blocked", + "sig_names": [ + "SQL-INJ integer field UNION (Parameter)", + "SQL-INJ " + ] + }, + "fields": { + "@timestamp": [ + "2021-10-10T06:00:53.000Z" + ] + }, + "sort": [ + 1633845653000 + ] +} +``` + + +--- + + +## Remote File Include (RFI)远程文件包含防护 + +解释: +``` +攻击者利用包含的特性,加上应用本身对文件(包含)控制不严格,最终造成攻击者进行任意文件包含。 +包含的文件内容会被当成PHP脚本文件来解析,从而攻击者可以在包含文件里面使用恶意脚本。 +``` + +1. 浏览器输入: +``` +http://centos.arcadia-finance.io/?hfsagrs=php%3A%2F%2Ffilter%2Fresource%3Dhttp%3A%2F%2Fgoogle.com%2Fsearch +``` +2. 请求被NAP阻断,阻断信息及support ID: 302917768469178547: + +![OWASP-Top-10-remote-file-include]() + +3. 攻击防护相关log信息,可参考文件: + +```json +{ + "_index": "waf-logs-2021.10.10", + "_type": "_doc", + "_id": "P0XQaHwBMIwAeeuRXXtZ", + "_version": 1, + "_score": null, + "_source": { + "request_status": "blocked", + "severity": 3, + "bot_category": "Non-BOT", + "violation_details": "10000000200c00-3a03030c30000072477f0ffcbbd0fea-befbf35cb000007e0-00-042VIOL_ATTACK_SIGNATUREparameterglobalaGZzYWdycw==alpha-numericcGhwOi8vZmlsdGVyL3Jlc291cmNlPWh0dHA6Ly9nb29nbGUuY29tL3NlYXJjaA==*002000220133aGZzYWdycz1waHA6Ly9maWx0ZXIvcmVzb3VyY2U9aHR0cDovL2dvb2dsZS5jb20vc2VhcmNo812", + "uri": "/", + "bot_signature_name": "N/A", + "violations": [ + "Attack signature detected" + ], + "ip_client": "10.1.1.13", + "src_port": "60432", + "message": "ASM:attack_type=\"Remote File Include\",blocking_exception_reason=\"N/A\",date_time=\"2021-10-10 06:07:38\",dest_port=\"80\",ip_client=\"10.1.1.13\",is_truncated=\"false\",method=\"GET\",policy_name=\"app_protect_default_policy\",protocol=\"HTTP\",request_status=\"blocked\",response_code=\"0\",severity=\"Error\",sig_cves=\"N/A\",sig_ids=\"200022013\",sig_names=\"PHP remote file include attempt - filter\",sig_set_names=\"{High Accuracy Signatures;Remote File Include Signatures}\",src_port=\"60432\",sub_violations=\"N/A\",support_id=\"302917768469178547\",threat_campaign_names=\"N/A\",unit_hostname=\"c68206ac-6bd7-49d0-ad95-d7b1ccb15787\",uri=\"/\",violation_rating=\"3\",vs_name=\"26-localhost:1-/\",x_forwarded_for_header_value=\"N/A\",outcome=\"REJECTED\",outcome_reason=\"SECURITY_WAF_VIOLATION\",violations=\"Attack signature detected\",violation_details=\"10000000200c00-3a03030c30000072477f0ffcbbd0fea-befbf35cb000007e0-00-042VIOL_ATTACK_SIGNATUREparameterglobalaGZzYWdycw==alpha-numericcGhwOi8vZmlsdGVyL3Jlc291cmNlPWh0dHA6Ly9nb29nbGUuY29tL3NlYXJjaA==*002000220133aGZzYWdycz1waHA6Ly9maWx0ZXIvcmVzb3VyY2U9aHR0cDovL2dvb2dsZS5jb20vc2VhcmNo812\",bot_signature_name=\"N/A\",bot_category=\"N/A\",bot_anomalies=\"N/A\",enforced_bot_anomalies=\"N/A\",client_class=\"Browser\",client_application=\"FireFox\",client_application_version=\"94\",request=\"GET /?hfsagrs=php%3A%2F%2Ffilter%2Fresource%3Dhttp%3A%2F%2Fgoogle.com%2Fsearch HTTP/1.1\\r\\nHost: centos.arcadia-finance.io\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nConnection: keep-alive\\r\\nUpgrade-Insecure-Requests: 1\\r\\n\\r\\n\",transport_protocol=\"HTTP/1.1\"\r\n", + "sig_set_names": [ + "{High Accuracy Signatures;Remote File Include Signatures}" + ], + "priority": 131, + "timestamp": "Oct 10 06:07:38", + "sig_cves": [ + "N/A" + ], + "x_forwarded_for_header_value": "N/A", + "source_host": "10.1.1.13", + "request": "GET /?hfsagrs=php%3A%2F%2Ffilter%2Fresource%3Dhttp%3A%2F%2Fgoogle.com%2Fsearch HTTP/1.1\\r\\nHost: centos.arcadia-finance.io\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nConnection: keep-alive\\r\\nUpgrade-Insecure-Requests: 1\\r\\n\\r\\n", + "violation_rating": "3", + "geoip": {}, + "unit_hostname": "c68206ac-6bd7-49d0-ad95-d7b1ccb15787", + "dest_port": "80", + "outcome_reason": "SECURITY_WAF_VIOLATION", + "tags": [ + "waf", + "_geoip_lookup_failure" + ], + "host": "10.1.1.9", + "facility": 16, + "date_time": "2021-10-10 06:07:38", + "sub_violations": [ + "N/A" + ], + "logsource": "c68206ac-6bd7-49d0-ad95-d7b1ccb15787", + "facility_label": "local0", + "blocking_exception_reason": "N/A", + "@timestamp": "2021-10-10T06:07:38.000Z", + "severity_label": "Error", + "is_truncated": "false", + "method": "GET", + "policy_name": "app_protect_default_policy", + "client_class": "Browser", + "protocol": "HTTP", + "support_id": "302917768469178547", + "@version": "1", + "sig_ids": [ + "200022013" + ], + "vs_name": "26-localhost:1-/", + "outcome": "REJECTED", + "bot_anomalies": [ + "N/A" + ], + "response_code": "Blocked", + "sig_names": [ + "PHP remote file include attempt - filter" + ] + }, + "fields": { + "@timestamp": [ + "2021-10-10T06:07:38.000Z" + ] + }, + "sort": [ + 1633846058000 + ] +} +``` + + +--- + +## 路径遍历防护 + +1. 浏览器输入: +``` +http://centos.arcadia-finance.io/lua/login.lua?referer=google.com%2F&hfsagrs=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd +``` +2. 请求被NAP阻断,阻断信息及support ID: 18029559235433355714: + +![OWASP-Top-10-command execution]() + +3. 攻击防护相关log信息,可参考文件: + +```json +{ + "_index": "waf-logs-2021.10.10", + "_type": "_doc", + "_id": "QkXaaHwBMIwAeeuRPntr", + "_version": 1, + "_score": null, + "_source": { + "request_status": "blocked", + "severity": 2, + "bot_category": "Non-BOT", + "violation_details": "10000000000c00-3a03030c30000072477f0ffcbbd0fea-befbf35cb000007e0-00-042VIOL_ATTACK_SIGNATUREparameterglobalaGZzYWdycw==alpha-numericLy4uLy4uLy4uLy4uLy4uLy4uLy4uLy4uL2V0Yy9wYXNzd2Q=*002000001902aGZzYWdycz0vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA==932000030542aGZzYWdycz0vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA==3072000039092aGZzYWdycz0vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA==3211", + "uri": "/lua/login.lua", + "bot_signature_name": "N/A", + "violations": [ + "Attack signature detected", + "Violation Rating Threat detected" + ], + "ip_client": "10.1.1.13", + "src_port": "62546", + "message": "ASM:attack_type=\"Non-browser Client,Predictable Resource Location,Path Traversal\",blocking_exception_reason=\"N/A\",date_time=\"2021-10-10 06:18:24\",dest_port=\"80\",ip_client=\"10.1.1.13\",is_truncated=\"false\",method=\"GET\",policy_name=\"app_protect_default_policy\",protocol=\"HTTP\",request_status=\"blocked\",response_code=\"0\",severity=\"Critical\",sig_cves=\"N/A\",sig_ids=\"200000190,200003054,200003909\",sig_names=\"Directory Traversal attempt (parameter),Directory Traversal attempt (../etc/) (Parameter),\"\"/etc/passwd\"\" access (Parameter)\",sig_set_names=\"{Path Traversal Signatures},{Path Traversal Signatures},{Predictable Resource Location Signatures}\",src_port=\"62546\",sub_violations=\"N/A\",support_id=\"18029559235433355714\",threat_campaign_names=\"N/A\",unit_hostname=\"c68206ac-6bd7-49d0-ad95-d7b1ccb15787\",uri=\"/lua/login.lua\",violation_rating=\"5\",vs_name=\"26-localhost:1-/\",x_forwarded_for_header_value=\"N/A\",outcome=\"REJECTED\",outcome_reason=\"SECURITY_WAF_VIOLATION\",violations=\"Attack signature detected,Violation Rating Threat detected\",violation_details=\"10000000000c00-3a03030c30000072477f0ffcbbd0fea-befbf35cb000007e0-00-042VIOL_ATTACK_SIGNATUREparameterglobalaGZzYWdycw==alpha-numericLy4uLy4uLy4uLy4uLy4uLy4uLy4uLy4uL2V0Yy9wYXNzd2Q=*002000001902aGZzYWdycz0vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA==932000030542aGZzYWdycz0vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA==3072000039092aGZzYWdycz0vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA==3211\",bot_signature_name=\"N/A\",bot_category=\"N/A\",bot_anomalies=\"N/A\",enforced_bot_anomalies=\"N/A\",client_class=\"Browser\",client_application=\"FireFox\",client_application_version=\"94\",request=\"GET /lua/login.lua?referer=google.com%2F&hfsagrs=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1\\r\\nHost: centos.arcadia-finance.io\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nConnection: keep-alive\\r\\nUpgrade-Insecure-Requests: 1\\r\\n\\r\\n\",transport_protocol=\"HTTP/1.1\"\r\n", + "sig_set_names": [ + "{Path Traversal Signatures}", + "{Path Traversal Signatures}", + "{Predictable Resource Location Signatures}" + ], + "priority": 130, + "timestamp": "Oct 10 06:18:25", + "sig_cves": [ + "N/A" + ], + "x_forwarded_for_header_value": "N/A", + "source_host": "10.1.1.13", + "request": "GET /lua/login.lua?referer=google.com%2F&hfsagrs=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1\\r\\nHost: centos.arcadia-finance.io\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nConnection: keep-alive\\r\\nUpgrade-Insecure-Requests: 1\\r\\n\\r\\n", + "violation_rating": "5", + "geoip": {}, + "unit_hostname": "c68206ac-6bd7-49d0-ad95-d7b1ccb15787", + "dest_port": "80", + "outcome_reason": "SECURITY_WAF_VIOLATION", + "tags": [ + "waf", + "_geoip_lookup_failure" + ], + "host": "10.1.1.9", + "facility": 16, + "date_time": "2021-10-10 06:18:24", + "sub_violations": [ + "N/A" + ], + "logsource": "c68206ac-6bd7-49d0-ad95-d7b1ccb15787", + "facility_label": "local0", + "blocking_exception_reason": "N/A", + "@timestamp": "2021-10-10T06:18:25.000Z", + "severity_label": "Critical", + "is_truncated": "false", + "method": "GET", + "policy_name": "app_protect_default_policy", + "client_class": "Browser", + "protocol": "HTTP", + "support_id": "18029559235433355714", + "@version": "1", + "sig_ids": [ + "200000190", + "200003054", + "200003909" + ], + "vs_name": "26-localhost:1-/", + "outcome": "REJECTED", + "bot_anomalies": [ + "N/A" + ], + "response_code": "Blocked", + "sig_names": [ + "Directory Traversal attempt (parameter)", + "Directory Traversal attempt (../etc/) (Parameter)" + ] + }, + "fields": { + "@timestamp": [ + "2021-10-10T06:18:25.000Z" + ] + }, + "sort": [ + 1633846705000 + ] +} +``` + +--- + +## Cross Site Scripting防护 + +1. 浏览器输入: +``` +http://centos.arcadia-finance.io/lua/login.lua?referer=google.com%2F&hfsagrs=+oNmouseoVer%3Dbfet%28%29+ +``` +2. 请求被NAP阻断,阻断信息及support ID: 18029559235433356224: + +![OWASP-Top-10-]() + +3. 攻击防护相关log信息,可参考文件: + +```json +{ + "_index": "waf-logs-2021.10.10", + "_type": "_doc", + "_id": "Q0XhaHwBMIwAeeuRSXvX", + "_version": 1, + "_score": null, + "_source": { + "request_status": "blocked", + "severity": 2, + "bot_category": "Non-BOT", + "violation_details": "10000000200c00-3a03030c30000072477f0ffcbbd0fea-befbf35cb000007e0-00-042VIOL_ATTACK_SIGNATUREparameterglobalaGZzYWdycw==alpha-numericIG9ObW91c2VvVmVyPWJmZXQoKSA=*002000010013aGZzYWdycz0gb05tb3VzZW9WZXI9YmZldCgpIA==9122001011623aGZzYWdycz0gb05tb3VzZW9WZXI9YmZldCgpIA==9122000010013aGZzYWdycz0gb05tb3VzZW9WZXI9YmZldCgpIA==9122001011623aGZzYWdycz0gb05tb3VzZW9WZXI9YmZldCgpIA==912", + "uri": "/lua/login.lua", + "bot_signature_name": "N/A", + "violations": [ + "Attack signature detected", + "Violation Rating Threat detected" + ], + "ip_client": "10.1.1.13", + "src_port": "62556", + "message": "ASM:attack_type=\"Non-browser Client,Cross Site Scripting (XSS)\",blocking_exception_reason=\"N/A\",date_time=\"2021-10-10 06:26:07\",dest_port=\"80\",ip_client=\"10.1.1.13\",is_truncated=\"false\",method=\"GET\",policy_name=\"app_protect_default_policy\",protocol=\"HTTP\",request_status=\"blocked\",response_code=\"0\",severity=\"Critical\",sig_cves=\"N/A\",sig_ids=\"200001001,200101162\",sig_names=\"onmouse... (Parameter),onmouseover (Parameter)\",sig_set_names=\"{Cross Site Scripting Signatures;High Accuracy Signatures},{Cross Site Scripting Signatures;High Accuracy Signatures}\",src_port=\"62556\",sub_violations=\"N/A\",support_id=\"18029559235433356224\",threat_campaign_names=\"N/A\",unit_hostname=\"c68206ac-6bd7-49d0-ad95-d7b1ccb15787\",uri=\"/lua/login.lua\",violation_rating=\"5\",vs_name=\"26-localhost:1-/\",x_forwarded_for_header_value=\"N/A\",outcome=\"REJECTED\",outcome_reason=\"SECURITY_WAF_VIOLATION\",violations=\"Attack signature detected,Violation Rating Threat detected\",violation_details=\"10000000200c00-3a03030c30000072477f0ffcbbd0fea-befbf35cb000007e0-00-042VIOL_ATTACK_SIGNATUREparameterglobalaGZzYWdycw==alpha-numericIG9ObW91c2VvVmVyPWJmZXQoKSA=*002000010013aGZzYWdycz0gb05tb3VzZW9WZXI9YmZldCgpIA==9122001011623aGZzYWdycz0gb05tb3VzZW9WZXI9YmZldCgpIA==9122000010013aGZzYWdycz0gb05tb3VzZW9WZXI9YmZldCgpIA==9122001011623aGZzYWdycz0gb05tb3VzZW9WZXI9YmZldCgpIA==912\",bot_signature_name=\"N/A\",bot_category=\"N/A\",bot_anomalies=\"N/A\",enforced_bot_anomalies=\"N/A\",client_class=\"Browser\",client_application=\"FireFox\",client_application_version=\"94\",request=\"GET /lua/login.lua?referer=google.com%2F&hfsagrs=+oNmouseoVer%3Dbfet%28%29+ HTTP/1.1\\r\\nHost: centos.arcadia-finance.io\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nConnection: keep-alive\\r\\nUpgrade-Insecure-Requests: 1\\r\\n\\r\\n\",transport_protocol=\"HTTP/1.1\"\r\n", + "sig_set_names": [ + "{Cross Site Scripting Signatures;High Accuracy Signatures}", + "{Cross Site Scripting Signatures;High Accuracy Signatures}" + ], + "priority": 130, + "timestamp": "Oct 10 06:26:07", + "sig_cves": [ + "N/A" + ], + "x_forwarded_for_header_value": "N/A", + "source_host": "10.1.1.13", + "request": "GET /lua/login.lua?referer=google.com%2F&hfsagrs=+oNmouseoVer%3Dbfet%28%29+ HTTP/1.1\\r\\nHost: centos.arcadia-finance.io\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nConnection: keep-alive\\r\\nUpgrade-Insecure-Requests: 1\\r\\n\\r\\n", + "violation_rating": "5", + "geoip": {}, + "unit_hostname": "c68206ac-6bd7-49d0-ad95-d7b1ccb15787", + "dest_port": "80", + "outcome_reason": "SECURITY_WAF_VIOLATION", + "tags": [ + "waf", + "_geoip_lookup_failure" + ], + "host": "10.1.1.9", + "facility": 16, + "date_time": "2021-10-10 06:26:07", + "sub_violations": [ + "N/A" + ], + "logsource": "c68206ac-6bd7-49d0-ad95-d7b1ccb15787", + "facility_label": "local0", + "blocking_exception_reason": "N/A", + "@timestamp": "2021-10-10T06:26:07.000Z", + "severity_label": "Critical", + "is_truncated": "false", + "method": "GET", + "policy_name": "app_protect_default_policy", + "client_class": "Browser", + "protocol": "HTTP", + "support_id": "18029559235433356224", + "@version": "1", + "sig_ids": [ + "200001001", + "200101162" + ], + "vs_name": "26-localhost:1-/", + "outcome": "REJECTED", + "bot_anomalies": [ + "N/A" + ], + "response_code": "Blocked", + "sig_names": [ + "onmouse... (Parameter)", + "onmouseover (Parameter)" + ] + }, + "fields": { + "@timestamp": [ + "2021-10-10T06:26:07.000Z" + ] + }, + "sort": [ + 1633847167000 + ] +} +``` + +--- + +## Multiple decoding多次解码防护 + +1. 浏览器输入: +``` +http://centos.arcadia-finance.io/three_decodin%2525252567.html +``` +2. 请求被NAP告警,告警信息及support ID: 302917768469183137: + +![OWASP-Top-10-]() + +3. 攻击防护相关log信息,可参考文件: + +```json +{ + "_index": "waf-logs-2021.10.10", + "_type": "_doc", + "_id": "TEX3aHwBMIwAeeuRSXur", + "_version": 1, + "_score": null, + "_source": { + "request_status": "alerted", + "severity": 2, + "bot_category": "Non-BOT", + "violation_details": "10000000000c00-3a03030c30000072577f0ffcb9d0fea-befbf35cb000007e0-00-07VIOL_EVASIONuriL3RocmVlX2RlY29kaW4lMjUyNTI1MjU2OC5odG1s14716", + "uri": "/three_decodin%2568.html", + "bot_signature_name": "N/A", + "violations": [ + "Evasion technique detected" + ], + "ip_client": "10.1.1.13", + "src_port": "55122", + "message": "ASM:attack_type=\"Detection Evasion\",blocking_exception_reason=\"N/A\",date_time=\"2021-10-10 06:50:08\",dest_port=\"80\",ip_client=\"10.1.1.13\",is_truncated=\"false\",method=\"GET\",policy_name=\"app_protect_default_policy\",protocol=\"HTTP\",request_status=\"alerted\",response_code=\"404\",severity=\"Critical\",sig_cves=\"N/A\",sig_ids=\"N/A\",sig_names=\"N/A\",sig_set_names=\"N/A\",src_port=\"55122\",sub_violations=\"Evasion technique detected:Multiple decoding\",support_id=\"302917768469183137\",threat_campaign_names=\"N/A\",unit_hostname=\"c68206ac-6bd7-49d0-ad95-d7b1ccb15787\",uri=\"/three_decodin%2568.html\",violation_rating=\"2\",vs_name=\"26-localhost:1-/\",x_forwarded_for_header_value=\"N/A\",outcome=\"PASSED\",outcome_reason=\"SECURITY_WAF_FLAGGED\",violations=\"Evasion technique detected\",violation_details=\"10000000000c00-3a03030c30000072577f0ffcb9d0fea-befbf35cb000007e0-00-07VIOL_EVASIONuriL3RocmVlX2RlY29kaW4lMjUyNTI1MjU2OC5odG1s14716\",bot_signature_name=\"N/A\",bot_category=\"N/A\",bot_anomalies=\"N/A\",enforced_bot_anomalies=\"N/A\",client_class=\"Browser\",client_application=\"FireFox\",client_application_version=\"94\",request=\"GET /three_decodin%2525252568.html HTTP/1.1\\r\\nHost: centos.arcadia-finance.io\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nConnection: keep-alive\\r\\nCookie: PHPSESSID=9pucfgkfrtk71i9dvmo072jokn\\r\\nUpgrade-Insecure-Requests: 1\\r\\n\\r\\n\",transport_protocol=\"HTTP/1.1\"\r\n", + "sig_set_names": [ + "N/A" + ], + "priority": 130, + "timestamp": "Oct 10 06:50:09", + "sig_cves": [ + "N/A" + ], + "x_forwarded_for_header_value": "N/A", + "source_host": "10.1.1.13", + "request": "GET /three_decodin%2525252568.html HTTP/1.1\\r\\nHost: centos.arcadia-finance.io\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nConnection: keep-alive\\r\\nCookie: PHPSESSID=9pucfgkfrtk71i9dvmo072jokn\\r\\nUpgrade-Insecure-Requests: 1\\r\\n\\r\\n", + "violation_rating": "2", + "geoip": {}, + "unit_hostname": "c68206ac-6bd7-49d0-ad95-d7b1ccb15787", + "dest_port": "80", + "outcome_reason": "SECURITY_WAF_FLAGGED", + "tags": [ + "waf", + "_geoip_lookup_failure" + ], + "host": "10.1.1.9", + "facility": 16, + "date_time": "2021-10-10 06:50:08", + "sub_violations": [ + "Evasion technique detected:Multiple decoding" + ], + "logsource": "c68206ac-6bd7-49d0-ad95-d7b1ccb15787", + "facility_label": "local0", + "blocking_exception_reason": "N/A", + "@timestamp": "2021-10-10T06:50:09.000Z", + "severity_label": "Critical", + "is_truncated": "false", + "method": "GET", + "policy_name": "app_protect_default_policy", + "client_class": "Browser", + "protocol": "HTTP", + "support_id": "302917768469183137", + "@version": "1", + "sig_ids": [ + "N/A" + ], + "vs_name": "26-localhost:1-/", + "outcome": "PASSED", + "bot_anomalies": [ + "N/A" + ], + "response_code": "404", + "sig_names": [ + "N/A" + ] + }, + "fields": { + "@timestamp": [ + "2021-10-10T06:50:09.000Z" + ] + }, + "sort": [ + 1633848609000 + ] +} +``` + +--- +本章节Lab主要介绍了NAP对OWASP Top 10常见攻击的防护,大家可以多测试不同的攻击策略以及调整NAP的防护策略。🍺 +--- + + + + + + diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/nginx_owasp_top10.conf" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/nginx_owasp_top10.conf" new file mode 100644 index 0000000..d712ba7 --- /dev/null +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/nginx_owasp_top10.conf" @@ -0,0 +1,83 @@ +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; + +# load the app protect module +load_module modules/ngx_http_app_protect_module.so; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + # note that in the dockerfile, the logs are redirected to stdout and can be viewed with `docker logs` + access_log /var/log/nginx/access.log main; + + server { + listen 80; + server_name localhost; + proxy_http_version 1.1; + proxy_cache_bypass $http_upgrade; + + proxy_set_header Host $host; + + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_ignore_client_abort on; + + app_protect_enable on; + app_protect_security_log_enable on; + app_protect_policy_file "/etc/nginx/policy_owasp_top10.json"; + # send the logs to the logstash instance on our ELK stack. + app_protect_security_log "/etc/app_protect/conf/log_default.json" syslog:server=10.1.1.11:5144; + + # main service + location / { + resolver 10.1.1.8:5353; + resolver_timeout 5s; + client_max_body_size 0; + default_type text/html; + proxy_pass http://k8s.arcadia-finance.io:30585$request_uri; + } + + # backend service + location /files { + resolver 10.1.1.8:5353; + resolver_timeout 5s; + client_max_body_size 0; + default_type text/html; + proxy_pass http://k8s.arcadia-finance.io:30584$request_uri; + } + + # app2 service + location /api { + resolver 10.1.1.8:5353; + resolver_timeout 5s; + client_max_body_size 0; + default_type text/html; + proxy_pass http://k8s.arcadia-finance.io:30586$request_uri; + } + + # app2 service + location /app3 { + resolver 10.1.1.8:5353; + resolver_timeout 5s; + client_max_body_size 0; + default_type text/html; + proxy_pass http://k8s.arcadia-finance.io:30587$request_uri; + } + } +} \ No newline at end of file diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/policy_owasp_top10.json" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/policy_owasp_top10.json" new file mode 100644 index 0000000..bcf8ec0 --- /dev/null +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/policy_owasp_top10.json" @@ -0,0 +1,86 @@ +{ + "policy": { + "name": "Complete_OWASP_Top_Ten", + "description": "A generic, OWASP Top 10 protection items v1.0", + "template": { + "name": "POLICY_TEMPLATE_NGINX_BASE" + }, + "enforcementMode":"blocking", + "signature-settings":{ + "signatureStaging": false, + "minimumAccuracyForAutoAddedSignatures": "high" + }, + "caseInsensitive": true, + "general": { + "trustXff": true + }, + "data-guard": { + "enabled": true + }, + "blocking-settings": { + "violations": [ + { + "alarm": true, + "block": true, + "description": "Modified NAP cookie", + "name": "VIOL_ASM_COOKIE_MODIFIED" + }, + { + "alarm": true, + "block": true, + "description": "XML data does not comply with format settings", + "name": "VIOL_XML_FORMAT" + }, + { + "name": "VIOL_FILETYPE", + "alarm": true, + "block": true + } + ], + "evasions": [ + { + "description": "Bad unescape", + "enabled": true + }, + { + "description": "Apache whitespace", + "enabled": true + }, + { + "description": "Bare byte decoding", + "enabled": true + }, + { + "description": "IIS Unicode codepoints", + "enabled": true + }, + { + "description": "IIS backslashes", + "enabled": true + }, + { + "description": "%u decoding", + "enabled": true + }, + { + "description": "Multiple decoding", + "enabled": true, + "maxDecodingPasses": 3 + }, + { + "description": "Directory traversals", + "enabled": true + } + ] + }, + "xml-profiles": [ + { + "name": "Default", + "defenseAttributes": { + "allowDTDs": false, + "allowExternalReferences": false + } + } + ] + } +} \ No newline at end of file -- Gitee From 62b878f0b6059e118609482398c4f7ca7853870e Mon Sep 17 00:00:00 2001 From: michaelwang Date: Sun, 10 Oct 2021 08:24:56 +0000 Subject: [PATCH 16/38] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=2011?= =?UTF-8?q?=20NGINX=20Web=E4=B8=8EAPI=E5=AE=89=E5=85=A8/Lab-1-OWASP=20Top?= =?UTF-8?q?=2010=E9=98=B2=E6=8A=A4/2-README=5FNAP=5FDeployment.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../2-README_NAP_Deployment.md" | 185 ------------------ 1 file changed, 185 deletions(-) delete mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_NAP_Deployment.md" diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_NAP_Deployment.md" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_NAP_Deployment.md" deleted file mode 100644 index 22e8973..0000000 --- "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_NAP_Deployment.md" +++ /dev/null @@ -1,185 +0,0 @@ -# 概述 - -NGINX App Protect(简称NAP)可以对web应用提供WAF防护功能,包括:OWASP Top 10,响应包检查,元字符检查,HTTP协议合规性检查,防逃逸技术,文件类型过滤,JSON、XML和gRPC检查,敏感参数防泄露等。 - -## 前提条件 -1. NGINX Plus Release 22 及更高版本支持 NGINX App Protect。 - -2. NGINX App Protect 支持以下操作系统: -- CentOS/RHEL 7.4.x及更高 -- Debian 9 - (从NGINX Plus R24开始弃用) -- Debian 10 -- Ubuntu 18.04 -- Ubuntu 20.04 -- Alpine 3.10 - -3. NGINX App Protect支持的部署环境如下: -- Linux主机 -- Docker -- Kubernetes Ingress Controller -- Cloud - -4. 申请好NGINX Plus测试许可。在自己试用账号门户站点里,下载好以下2个文件: -``` -nginx-repo.key -nginx-repo.crt -``` - -# Lab环境介绍 - -本章节演示和实验采用在CentOS虚机中部署NGINX App Protect环境,学员可根据自己实际情况准备实验环境。本环境中包含以下组件: - -## NGINX Plus反向代理服务器 -后面简称反代, - -## Web API Servers -使用Arcadia应用服务,通过GitLab下载安装:https://gitlab.com/arcadia-application - -## 测试客户端 -请预装以下软件,并且为了方便测试,建议在客户端hosts配置测试所用域名。 -- 浏览器 -- Postman -- Jmeter - -# CentOS 7.4+环境的NAP安装步骤 - -1. 如果前面章节的实验已有相关NGINX包,可以备份相关配置和日志 -```bash -sudo cp -a /etc/nginx /etc/nginx-plus-backup -sudo cp -a /var/log/nginx /var/log/nginx-plus-backup -``` -2. 创建/etc/ssl/nginx/目录和/etc/nginx/目录 -```bash -sudo mkdir -p /etc/ssl/nginx -sudo mkdir -p /etc/nginx -``` -3. 将以上《前提条件》中申请的测试许可从门户站点中下载好,并复制到/etc/ssl/nginx/目录下。 - -4. 安装必备软件包 -```bash -sudo yum install ca-certificates epel-release wget -``` -5. 添加NGINX Plus库 -```bash -sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-7.repo -``` -6.安装最新版本的NGINX App Protect软件包(包括NGINX Plus) -```bash -sudo yum install app-protect -``` -注:也可以通过以下命令列出可用版本: -```bash -sudo yum --showduplicates list app-protect -``` -从而选择指定版本进行安装,例如: -```bash -sudo yum install app-protect-20+2.52.1 -``` -7. 检查 NGINX 二进制版本以确保正确安装了 NGINX Plus -```bash -sudo nginx -v -``` -8. 配置nginx,以下二选一。 -- 可以将Gitee中<11 NGINX Web与API安全>目录下的nginx.conf文件拷贝至/etc/nginx/目录 -- 或者直接vi将如下配置文件内容粘贴至/etc/nginx/nginx.conf中: -```nginx -user nginx; -worker_processes auto; - -error_log /var/log/nginx/error.log notice; - -# load the app protect module -load_module modules/ngx_http_app_protect_module.so; - -events { - worker_connections 1024; -} - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - sendfile on; - keepalive_timeout 65; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - # note that in the dockerfile, the logs are redirected to stdout and can be viewed with `docker logs` - access_log /var/log/nginx/access.log main; - - server { - listen 80; - server_name localhost; - proxy_http_version 1.1; - proxy_cache_bypass $http_upgrade; - - proxy_set_header Host $host; - - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_ignore_client_abort on; - - app_protect_enable on; - app_protect_security_log_enable on; - # send the logs to the logstash instance on our ELK stack. - app_protect_security_log "/etc/app_protect/conf/log_default.json" syslog:server=10.1.1.11:5144; - - # main service - location / { - resolver 10.1.1.8:5353; - resolver_timeout 5s; - client_max_body_size 0; - default_type text/html; - proxy_pass http://k8s.arcadia-finance.io:30585$request_uri; - } - - # backend service - location /files { - resolver 10.1.1.8:5353; - resolver_timeout 5s; - client_max_body_size 0; - default_type text/html; - proxy_pass http://k8s.arcadia-finance.io:30584$request_uri; - } - - # app2 service - location /api { - resolver 10.1.1.8:5353; - resolver_timeout 5s; - client_max_body_size 0; - default_type text/html; - proxy_pass http://k8s.arcadia-finance.io:30586$request_uri; - } - - # app2 service - location /app3 { - resolver 10.1.1.8:5353; - resolver_timeout 5s; - client_max_body_size 0; - default_type text/html; - proxy_pass http://k8s.arcadia-finance.io:30587$request_uri; - } - } -} -``` -9. 关闭SELinux,允许全局访问 -```bash -sudo setenforce 0 -``` -10. 启用并启动NGINX服务 -```bash -sudo systemctl enable --now nginx.service -``` -11. 检查运行是否正常 -```bash -systemctl status nginx -``` -可以看到nginx的服务已经是active的状态。 - ---- -至此,就完成了NAP的安装和初始化相关工作。🍺 ---- -- Gitee From e8494448657d390ef7a0076baa7078e9d8a1a2d3 Mon Sep 17 00:00:00 2001 From: michaelwang Date: Sun, 10 Oct 2021 08:28:36 +0000 Subject: [PATCH 17/38] =?UTF-8?q?update=2011=20NGINX=20Web=E4=B8=8EAPI?= =?UTF-8?q?=E5=AE=89=E5=85=A8/Lab-1-OWASP=20Top=2010=E9=98=B2=E6=8A=A4/2-R?= =?UTF-8?q?EADME=5FOWASP=20Top=2010.md.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../2-README_OWASP Top 10.md" | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_OWASP Top 10.md" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_OWASP Top 10.md" index ed53c2f..170b06c 100644 --- "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_OWASP Top 10.md" +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_OWASP Top 10.md" @@ -26,7 +26,7 @@ http://centos.arcadia-finance.io/?hfsagrs=-1+union+select+user%2Cpassword+from+u ``` 2. 请求被NAP阻断,阻断信息及support ID: 18029559235433355204: -![OWASP-Top-10-SQL注入]() +![OWASP-Top-10-SQL注入](https://gitee.com/michaelwang19/reference/raw/master/Pictures/NGINX%20Training/OWASP-Top-10-SQL%E6%B3%A8%E5%85%A5.png) 3. 攻击防护相关log信息,可参考文件: -- Gitee From ecc24a66ca8dedb7aa297404a017d71b83074f1b Mon Sep 17 00:00:00 2001 From: michaelwang Date: Sun, 10 Oct 2021 08:34:32 +0000 Subject: [PATCH 18/38] =?UTF-8?q?update=2011=20NGINX=20Web=E4=B8=8EAPI?= =?UTF-8?q?=E5=AE=89=E5=85=A8/Lab-1-OWASP=20Top=2010=E9=98=B2=E6=8A=A4/2-R?= =?UTF-8?q?EADME=5FOWASP=20Top=2010.md.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../2-README_OWASP Top 10.md" | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_OWASP Top 10.md" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_OWASP Top 10.md" index 170b06c..ed52b3c 100644 --- "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_OWASP Top 10.md" +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_OWASP Top 10.md" @@ -28,7 +28,7 @@ http://centos.arcadia-finance.io/?hfsagrs=-1+union+select+user%2Cpassword+from+u ![OWASP-Top-10-SQL注入](https://gitee.com/michaelwang19/reference/raw/master/Pictures/NGINX%20Training/OWASP-Top-10-SQL%E6%B3%A8%E5%85%A5.png) -3. 攻击防护相关log信息,可参考文件: +3. 攻击防护相关log信息: ```json @@ -138,9 +138,9 @@ http://centos.arcadia-finance.io/?hfsagrs=php%3A%2F%2Ffilter%2Fresource%3Dhttp%3 ``` 2. 请求被NAP阻断,阻断信息及support ID: 302917768469178547: -![OWASP-Top-10-remote-file-include]() +![OWASP-Top-10-remote-files-include](https://gitee.com/michaelwang19/reference/raw/master/Pictures/NGINX%20Training/OWASP-Top-10-remote-files-include.png) -3. 攻击防护相关log信息,可参考文件: +3. 攻击防护相关log信息: ```json { @@ -235,9 +235,9 @@ http://centos.arcadia-finance.io/lua/login.lua?referer=google.com%2F&hfsagrs=%2F ``` 2. 请求被NAP阻断,阻断信息及support ID: 18029559235433355714: -![OWASP-Top-10-command execution]() +![OWASP-Top-10-Predictable%20Resource%20Location%20Path%20Traversal](https://gitee.com/michaelwang19/reference/raw/master/Pictures/NGINX%20Training/OWASP-Top-10-Predictable%20Resource%20Location%20Path%20Traversal.png) -3. 攻击防护相关log信息,可参考文件: +3. 攻击防护相关log信息: ```json { @@ -337,9 +337,9 @@ http://centos.arcadia-finance.io/lua/login.lua?referer=google.com%2F&hfsagrs=+oN ``` 2. 请求被NAP阻断,阻断信息及support ID: 18029559235433356224: -![OWASP-Top-10-]() +![OWASP-Top-10-cross%20site%20scripting](https://gitee.com/michaelwang19/reference/raw/master/Pictures/NGINX%20Training/OWASP-Top-10-cross%20site%20scripting.png) -3. 攻击防护相关log信息,可参考文件: +3. 攻击防护相关log信息: ```json { @@ -437,9 +437,9 @@ http://centos.arcadia-finance.io/three_decodin%2525252567.html ``` 2. 请求被NAP告警,告警信息及support ID: 302917768469183137: -![OWASP-Top-10-]() +![OWASP-Top-10-多次解码](https://gitee.com/michaelwang19/reference/raw/master/Pictures/NGINX%20Training/OWASP-Top-10-%E5%A4%9A%E6%AC%A1%E8%A7%A3%E7%A0%81.png) -3. 攻击防护相关log信息,可参考文件: +3. 攻击防护相关log信息: ```json { -- Gitee From f78cb629ed3348fa82bc40bec3ccf5e7912311bb Mon Sep 17 00:00:00 2001 From: michaelwang Date: Sun, 10 Oct 2021 08:36:04 +0000 Subject: [PATCH 19/38] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=2011?= =?UTF-8?q?=20NGINX=20Web=E4=B8=8EAPI=E5=AE=89=E5=85=A8/Lab-2-API=E5=AE=89?= =?UTF-8?q?=E5=85=A8=E9=98=B2=E6=8A=A4/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../.keep" | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-2-API\345\256\211\345\205\250\351\230\262\346\212\244/.keep" diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-2-API\345\256\211\345\205\250\351\230\262\346\212\244/.keep" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-2-API\345\256\211\345\205\250\351\230\262\346\212\244/.keep" deleted file mode 100644 index e69de29..0000000 -- Gitee From c7f784cb67f5b510345feb830f4cdbd04cc810ad Mon Sep 17 00:00:00 2001 From: michaelwang Date: Sun, 10 Oct 2021 13:44:28 +0000 Subject: [PATCH 20/38] =?UTF-8?q?README=20for=20API=E5=AE=89=E5=85=A8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../3-README_API.md" | 392 ++++++++++++++++++ 1 file changed, 392 insertions(+) create mode 100644 "11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-2-API\345\256\211\345\205\250\351\230\262\346\212\244/3-README_API.md" diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-2-API\345\256\211\345\205\250\351\230\262\346\212\244/3-README_API.md" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-2-API\345\256\211\345\205\250\351\230\262\346\212\244/3-README_API.md" new file mode 100644 index 0000000..a6d770a --- /dev/null +++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-2-API\345\256\211\345\205\250\351\230\262\346\212\244/3-README_API.md" @@ -0,0 +1,392 @@ +# API安全防护 + +如今,App爆发式增长,而且很多金融机构或者互联网企业都在大力发展其API经济,所以API无处不在。 + +近年来,无数安全事件或者很多重大信息安全泄露事件都有API息息相关,因此,本章节介绍NAP如何对API进行防护。 + +可以通过OpenAPI配置文件来构建NAP的防护策略。 + +## Arcadia API环境说明 +如已有API Server环境也可以选择自己的环境。 + +1. 相关工具 +- Arcadia OAS3文件:https://app.swaggerhub.com/apis/F5EMEASSA/Arcadia-OAS3/2.0.1-schema +- Postman + + +2. Lab环境所需yaml配置文件: +``` +NginxApiSecurityPolicy.json +nginx.conf +log_default.json + +``` + + +## 配置步骤 + +1. SSH命令行登陆CentOS + +2. 切换目录 + +```bash +cd /etc/nginx +``` + + +3. 导入NginxApiSecurityPolicy.json配置文件 + +NAP的防护配置中已经调用了OpenAPI的swagger文件:https://api.swaggerhub.com/apis/F5EMEASSA/Arcadia-OAS3/2.0.1-schema/swagger.json + +NginxApiSecurityPolicy.json配置文件如下: + + +```json +{ + "policy" : { + "name" : "app_protect_api_security_policy", + "description" : "NGINX App Protect API Security Policy. The policy is intended to be used with an OpenAPI file", + "template": { + "name": "POLICY_TEMPLATE_NGINX_BASE" + }, + + "open-api-files" : [ + { + "link": "https://api.swaggerhub.com/apis/F5EMEASSA/Arcadia-OAS3/2.0.1-schema/swagger.json" + } + ], + + "enforcer-settings" : { + "enforcerStateCookies" : { + "secureAttribute" : "always" + } + }, + "blocking-settings" : { + "violations" : [ + { + "block" : true, + "description" : "Mandatory request body is missing", + "name" : "VIOL_MANDATORY_REQUEST_BODY" + }, + { + "block" : true, + "description" : "Illegal parameter location", + "name" : "VIOL_PARAMETER_LOCATION" + }, + { + "block" : true, + "description" : "Mandatory parameter is missing", + "name" : "VIOL_MANDATORY_PARAMETER" + }, + { + "block" : true, + "description" : "JSON data does not comply with JSON schema", + "name" : "VIOL_JSON_SCHEMA" + }, + { + "block" : true, + "description" : "Illegal parameter array value", + "name" : "VIOL_PARAMETER_ARRAY_VALUE" + }, + { + "block" : true, + "description" : "Illegal Base64 value", + "name" : "VIOL_PARAMETER_VALUE_BASE64" + }, + { + "block" : true, + "description" : "Illegal request content type", + "name" : "VIOL_URL_CONTENT_TYPE" + }, + { + "block" : true, + "description" : "Illegal static parameter value", + "name" : "VIOL_PARAMETER_STATIC_VALUE" + }, + { + "block" : true, + "description" : "Illegal parameter value length", + "name" : "VIOL_PARAMETER_VALUE_LENGTH" + }, + { + "block" : true, + "description" : "Illegal parameter data type", + "name" : "VIOL_PARAMETER_DATA_TYPE" + }, + { + "block" : true, + "description" : "Illegal parameter numeric value", + "name" : "VIOL_PARAMETER_NUMERIC_VALUE" + }, + { + "block" : true, + "description" : "Parameter value does not comply with regular expression", + "name" : "VIOL_PARAMETER_VALUE_REGEXP" + }, + { + "block" : true, + "description" : "Illegal URL", + "name" : "VIOL_URL" + }, + { + "block" : true, + "description" : "Illegal parameter", + "name" : "VIOL_PARAMETER" + }, + { + "block" : true, + "description" : "Illegal empty parameter value", + "name" : "VIOL_PARAMETER_EMPTY_VALUE" + }, + { + "block" : true, + "description" : "Illegal repeated parameter name", + "name" : "VIOL_PARAMETER_REPEATED" + }, + { + "block" : true, + "description" : "Illegal method", + "name" : "VIOL_METHOD" + }, + { + "block" : true, + "description" : "Illegal gRPC method", + "name" : "VIOL_GRPC_METHOD" + } + ] + }, + + "xml-profiles" : [ + { + "name" : "Default", + "defenseAttributes" : { + "maximumNameLength" : 1024 + } + } + ] + } +} +``` + +4. 导入nginx.conf配置文件 + +在nginx的配置文件中的NAP防护策略文件中调用:NginxApiSecurityPolicy.json + +nginx.conf配置文件如下: + +```nginx + user nginx; + worker_processes auto; + + error_log /var/log/nginx/error.log notice; + pid /var/run/nginx.pid; + + load_module modules/ngx_http_app_protect_module.so; + + events { + worker_connections 1024; + } + + http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + server { + listen 80; + server_name localhost; + proxy_http_version 1.1; + + app_protect_enable on; + app_protect_policy_file "/etc/nginx/NginxApiSecurityPolicy.json"; + app_protect_security_log_enable on; + # app_protect_security_log "/etc/app_protect/conf/log_default.json" syslog:server=10.1.20.11:5144; + app_protect_security_log "/etc/app_protect/conf/log_default.json" /var/log/nginx/access.log; + + location / { + resolver 10.1.1.8:5353; + resolver_timeout 5s; + client_max_body_size 0; + default_type text/html; + proxy_pass http://k8s.arcadia-finance.io:30274$request_uri; + } + } + } +``` + + +5. 重启nginx服务 + +```bash +sudo systemctl restart nginx +``` + +6. 确认nginx服务正常运行 + +```bash +sudo systemctl status nginx +``` + +确保nginx的服务已经active。 + +--- + + +## 测试验证步骤 + +### 正常API请求可以执行成功 + +1. 使用Postman,打开Arcadia API,如图: + +![Postman]() + +2. 发送Last Transaction的API call + +可以发现这是一个GET请求,如图: + +![Last Transaction]() + +检查API请求日志: +```bash +tail -f /var/log/nginx/access.log +``` + +``` +10.1.1.13 - - [10/Oct/2021:12:32:10 +0000] "GET /trading/transactions.php HTTP/1.1" 200 392 "-" "PostmanRuntime/7.28.4" "-" +``` +--- + +2. POST发送Buy Stocks的API call + +![Postman]() + +检查API请求日志: + +``` +10.1.1.13 - - [10/Oct/2021:12:35:59 +0000] "POST /trading/rest/buy_stocks.php HTTP/1.1" 200 99 "-" "PostmanRuntime/7.28.4" "-" +``` +--- + +3. POST发送Sell Stocks的API call + +![Postman]() + +检查API请求日志: + +``` +10.1.1.13 - - [10/Oct/2021:12:41:05 +0000] "POST /trading/rest/sell_stocks.php HTTP/1.1" 200 100 "-" "PostmanRuntime/7.28.4" "-" +``` +--- + +### 异常API请求被阻断 + +5. POST发送Buy Stocks的API call的同时增加跨站脚本XXS攻击 + +![Postman]() + +检查API请求被阻断的日志: + +```json + +attack_type="Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)", +blocking_exception_reason="N/A", +date_time="2021-10-10 13:10:57", +dest_port="80", +ip_client="10.1.1.13", +is_truncated="false", +method="POST", +policy_name="app_protect_api_security_policy", +protocol="HTTP", +request_status="blocked", +response_code="0", +severity="Critical", +sig_cves="N/A", +sig_ids="200001475,200000098,200001088,200000157", +sig_names="XSS script tag end (Parameter) (2),XSS script tag (Parameter),alert() (Parameter)...", +sig_set_names="{Cross Site Scripting Signatures;High Accuracy Signatures},{Cross Site Scripting Signatures;High Accuracy Signatures},{Cross Site Scripting Signatures}...", +src_port="50020", +sub_violations="N/A", +support_id="609722702720363299", +threat_campaign_names="N/A", +unit_hostname="c68206ac-6bd7-49d0-ad95-d7b1ccb15787", +uri="/trading/rest/buy_stocks.php", +violation_rating="5", +vs_name="25-localhost:1-/", +x_forwarded_for_header_value="N/A", +outcome="REJECTED", +outcome_reason="SECURITY_WAF_VIOLATION", +violations="Illegal meta character in value,Attack signature detected,Violation Rating Threat detected,Bot Client Detected", +violation_details="100010cabd0c42-3a03f31c30000076477f0ffcbbd0fea-befbf35cb000007e0-200-042VIOL_ATTACK_SIGNATUREURLL3RyYWRpbmcvcmVzdC9idXlfc3RvY2tzLnBocA==0JSON312json_POST_~trading~rest~buy_stocks.phpdGVzdDxzY3JpcHQ+YWxlcnQoZG9jdW1lbnQuY29va2llKTwvc2NyaXB0Pg==element value2000014753dGVzdDxzY3JpcHQ+YWxlcnQoZG9jdW1lbnQuY29va2llKTwvc2NyaXB0Pg==572000000983dGVzdDxzY3JpcHQ+YWxlcnQoZG9jdW1lbnQuY29va2llKTwvc2NyaXB0Pg==472000010882dGVzdDxzY3JpcHQ+YWxlcnQoZG9jdW1lbnQuY29va2llKTwvc2NyaXB0Pg==1262000001572dGVzdDxzY3JpcHQ+YWxlcnQoZG9jdW1lbnQuY29va2llKTwvc2NyaXB0Pg==181524VIOL_PARAMETER_VALUE_METACHARURLL3RyYWRpbmcvcmVzdC9idXlfc3RvY2tzLnBocA==0JSON312json_POST_~trading~rest~buy_stocks.phpelement valuevaluedGVzdDxzY3JpcHQ+YWxlcnQoZG9jdW1lbnQuY29va2llKTwvc2NyaXB0Pg==60valuedGVzdDxzY3JpcHQ+YWxlcnQoZG9jdW1lbnQuY29va2llKTwvc2NyaXB0Pg==62valuedGVzdDxzY3JpcHQ+YWxlcnQoZG9jdW1lbnQuY29va2llKTwvc2NyaXB0Pg==40valuedGVzdDxzY3JpcHQ+YWxlcnQoZG9jdW1lbnQuY29va2llKTwvc2NyaXB0Pg==41valuedGVzdDxzY3JpcHQ+YWxlcnQoZG9jdW1lbnQuY29va2llKTwvc2NyaXB0Pg==47", +bot_signature_name="Postman", +bot_category="HTTP Library", +bot_anomalies="N/A", +enforced_bot_anomalies="N/A", +client_class="Untrusted Bot", +client_application="N/A", +client_application_version="N/A", +request="POST /trading/rest/buy_stocks.php HTTP/1.1\r\nContent-Type: application/json\r\nUser-Agent: PostmanRuntime/7.28.4\r\nAccept: */*\r\nPostman-Token: aa5289c8-e3d4-4c1d-ac63-73638d5aa6cc\r\nHost: app-protect-centos.arcadia-finance.io\r\nAccept-Encoding: gzip, deflate, br\r\nConnection: keep-alive\r\nContent-Length: 133\r\n\r\n{\r\n ""trans_value"":66,\r\n ""qty"":4,\r\n ""company"":""MSFT"",\r\n ""action"":""test"",\r\n ""stock_price"":198\r\n}", +transport_protocol="HTTP/1.1" + +``` +--- + +6. POST发送Transfer Money的API call的同时增加攻击 + +![Postman]() + +检查API请求被阻断的日志: + +```json + +attack_type="Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)", +blocking_exception_reason="N/A", +date_time="2021-10-10 13:23:00", +dest_port="80", +ip_client="10.1.1.13", +is_truncated="false", +method="POST", +policy_name="app_protect_api_security_policy", +protocol="HTTP", +request_status="blocked", +response_code="0", +severity="Critical", +sig_cves="N/A", +sig_ids="200001475,200000098", +sig_names="XSS script tag end (Parameter) (2),XSS script tag (Parameter)", +sig_set_names="{Cross Site Scripting Signatures;High Accuracy Signatures},{Cross Site Scripting Signatures;High Accuracy Signatures}", +src_port="56874", +sub_violations="N/A", +support_id="609722702720363809", +threat_campaign_names="N/A", +unit_hostname="c68206ac-6bd7-49d0-ad95-d7b1ccb15787", +uri="/api/rest/execute_money_transfer.php", +violation_rating="5", +vs_name="25-localhost:1-/", +x_forwarded_for_header_value="N/A", +outcome="REJECTED", +outcome_reason="SECURITY_WAF_VIOLATION", +violations="Illegal meta character in value,Attack signature detected,JSON data does not comply with JSON schema,Violation Rating Threat detected,Bot Client Detected", +violation_details="100010cabd0c42-3a03f31c30000076477f0ffcbbd0fea-befbf35cb000007e0-200-042VIOL_ATTACK_SIGNATUREURLL2FwaS9yZXN0L2V4ZWN1dGVfbW9uZXlfdHJhbnNmZXIucGhw0JSON210json_POST_~api~rest~execute_money_transfer.phpPHNjcmlwdD4=element value2000014753PHNjcmlwdD4=172000000983PHNjcmlwdD4=0724VIOL_PARAMETER_VALUE_METACHARURLL2FwaS9yZXN0L2V4ZWN1dGVfbW9uZXlfdHJhbnNmZXIucGhw0JSON210json_POST_~api~rest~execute_money_transfer.phpelement valuevaluePHNjcmlwdD4=60valuePHNjcmlwdD4=6281VIOL_JSON_SCHEMAURLL2FwaS9yZXN0L2V4ZWN1dGVfbW9uZXlfdHJhbnNmZXIucGhw0JSON210json_POST_~api~rest~execute_money_transfer.phpelement value$.amountType Violationstringinteger$.accountType Violationstringinteger", +bot_signature_name="Postman", +bot_category="HTTP Library", +bot_anomalies="N/A", +enforced_bot_anomalies="N/A", +client_class="Untrusted Bot", +client_application="N/A", +client_application_version="N/A", +request="POST /api/rest/execute_money_transfer.php HTTP/1.1\r\nContent-Type: application/json\r\nUser-Agent: PostmanRuntime/7.28.4\r\nAccept: */*\r\nPostman-Token: 31b0c3db-1dd2-4872-a7da-8874037ad7ec\r\nHost: app-protect-centos.arcadia-finance.io\r\nAccept-Encoding: gzip, deflate, br\r\nConnection: keep-alive\r\nContent-Length: 95\r\n\r\n{\r\n ""amount"":""12"",\r\n ""account"":""\",\r\n\t\"stock_price\":198\r\n}" + }, + "url": { + "raw": "http://app-protect-centos.arcadia-finance.io/trading/rest/buy_stocks.php", + "protocol": "http", + "host": [ + "app-protect-centos", + "arcadia-finance", + "io" + ], + "path": [ + "trading", + "rest", + "buy_stocks.php" + ] + } + }, + "response": [] + }, + { + "name": "POST Transfert Money Attack", + "request": { + "auth": { + "type": "noauth" + }, + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json", + "type": "text" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"amount\":\"12\",\r\n \"account\":\"