diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/.keep" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/.keep"
deleted file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..0000000000000000000000000000000000000000
diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/README.md" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/README.md"
new file mode 100644
index 0000000000000000000000000000000000000000..8cb91a90d6f9bfeca2b17be302a26fe32a55348f
--- /dev/null
+++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/README.md"
@@ -0,0 +1,182 @@
+
+# 部署Arcadia API Server
+
+## Arcadia环境说明
+本章节Arcadia API Server环境采用kubernetes部署。如已有API Server环境也可以选择自己的环境。
+
+1. 拓扑架构
+
+2. Kubernetes环境
+
+3. Lab环境所需yaml配置文件:
+```
+app-protect-log-config.yaml
+app-protect-policy.yaml
+arcadia-virtualserver.yaml
+arcadia-services-nodeport.yaml
+arcadia-deployments.yaml
+arcadia-services-cluster-ip.yaml
+waf-policy-dataguard.yaml
+```
+
+
+## Kubenetes部署Arcadia应用
+
+1. SSH命令行登陆Kubernetes
+
+2. 创建Lab文件夹并将所需文件导入该文件夹
+```bash
+mkdir -p /home/ubuntu/lab-files/arcadia-manifests/
+```
+3. 部署Arcadia deployment
+```
+kubectl apply -f /home/ubuntu/lab-files/arcadia-manifests/arcadia-deployments.yaml
+```
+
+可以看到部署成功,如下:
+```
+deployment.apps/backend created
+deployment.apps/main created
+deployment.apps/app2 created
+deployment.apps/app3 created
+```
+---
+注:
+```
+此时,Arcadia应用已经正在运行,但是还没有通过Kubernetes服务暴露。
+```
+
+
+
+## 通过Kubenetes Nodeport暴露Arcadia应用
+
+4. 通过Nodeport服务暴露应用
+```
+kubectl apply -f /home/ubuntu/lab-files/arcadia-manifests/arcadia-services-nodeport.yaml
+```
+注:arcadia-services-nodeport.yaml配置如下:
+```yaml
+##################################################################################################
+# FILES - BACKEND
+##################################################################################################
+apiVersion: v1
+kind: Service
+metadata:
+ name: backend
+ namespace: default
+ labels:
+ app: backend
+ service: backend
+spec:
+ type: NodePort
+ ports:
+ - port: 80
+ nodePort: 30584
+ protocol: TCP
+ targetPort: 80
+ name: backend-80
+ selector:
+ app: backend
+---
+##################################################################################################
+# MAIN
+##################################################################################################
+apiVersion: v1
+kind: Service
+metadata:
+ name: main
+ namespace: default
+ labels:
+ app: main
+ service: main
+spec:
+ type: NodePort
+ ports:
+ - name: main-80
+ nodePort: 30585
+ port: 80
+ protocol: TCP
+ targetPort: 80
+ selector:
+ app: main
+---
+##################################################################################################
+# APP2
+##################################################################################################
+apiVersion: v1
+kind: Service
+metadata:
+ name: app2
+ namespace: default
+ labels:
+ app: app2
+ service: app2
+spec:
+ type: NodePort
+ ports:
+ - port: 80
+ name: app2-80
+ nodePort: 30586
+ protocol: TCP
+ selector:
+ app: app2
+---
+##################################################################################################
+# APP3
+##################################################################################################
+apiVersion: v1
+kind: Service
+metadata:
+ name: app3
+ namespace: default
+ labels:
+ app: app3
+ service: app3
+spec:
+ type: NodePort
+ ports:
+ - port: 80
+ name: app3-80
+ nodePort: 30587
+ selector:
+ app: app3
+```
+完成后,可以看到创建了4个服务,如下:
+```
+service/backend created
+service/main created
+service/app2 created
+service/app3 created
+```
+
+---
+注:
+```
+此时Arcadia应用已经通过NodePort方式将BACKEND,MAIN,APP1,APP2和APP3这4个API服务暴露完成。
+
+但是还未对这些API服务进行NAP防护。
+```
+
+---
+
+## 验证Arcadia应用运行状态
+
+5. 浏览器访问http://centos.arcadia-finance.io/
+
+可以正常打开,如图:
+
+
+
+6. 点击登陆Login,输入用户名和密码
+
+用户名:matt
+
+密码:ilovef5
+
+可以看到对应的4个服务(main, back, app2和app3),如图:
+
+
+
+---
+到达此关卡,说明Arcadia应用已经部署完成,并通过NGINX Plus代理发布成功。🍺🍺
+---
diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/app-protect-log-config.yaml" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/app-protect-log-config.yaml"
new file mode 100644
index 0000000000000000000000000000000000000000..0ffa031d6723e3f6eaf161834cb4c2289d0068ae
--- /dev/null
+++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/app-protect-log-config.yaml"
@@ -0,0 +1,13 @@
+---
+### App Protect Logs ###
+apiVersion: appprotect.f5.com/v1beta1
+kind: APLogConf
+metadata:
+ name: logconf
+spec:
+ filter:
+ request_type: all
+ content:
+ format: default
+ max_request_size: any
+ max_message_size: 5k
\ No newline at end of file
diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/app-protect-policy.yaml" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/app-protect-policy.yaml"
new file mode 100644
index 0000000000000000000000000000000000000000..c43c11f9786e3f646c48ca2eca83a6681de07f4c
--- /dev/null
+++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/app-protect-policy.yaml"
@@ -0,0 +1,25 @@
+#### app-protect-policy.yaml ###
+---
+apiVersion: appprotect.f5.com/v1beta1
+kind: APPolicy
+metadata:
+ name: dataguard-blocking
+spec:
+ policy:
+ name: dataguard_blocking
+ template:
+ name: POLICY_TEMPLATE_NGINX_BASE
+ applicationLanguage: utf-8
+ enforcementMode: blocking
+ blocking-settings:
+ violations:
+ - name: VIOL_DATA_GUARD
+ alarm: true
+ block: true
+ data-guard:
+ enabled: true
+ maskData: true
+ creditCardNumbers: true
+ usSocialSecurityNumbers: true
+ enforcementMode: ignore-urls-in-list
+ enforcementUrls: []
\ No newline at end of file
diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-deployments.yaml" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-deployments.yaml"
new file mode 100644
index 0000000000000000000000000000000000000000..38fe2ef3cee8ca339e38d0589b010dceb46f32d7
--- /dev/null
+++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-deployments.yaml"
@@ -0,0 +1,137 @@
+##################################################################################################
+# FILES - BACKEND
+##################################################################################################
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: backend
+ namespace: default
+ labels:
+ app: backend
+ version: v1
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: backend
+ version: v1
+ template:
+ metadata:
+ labels:
+ app: backend
+ version: v1
+ spec:
+ containers:
+ - env:
+ - name: service_name
+ value: backend
+ image: registry.gitlab.com/arcadia-application/back-end/backend:latest
+ imagePullPolicy: IfNotPresent
+ name: backend
+ ports:
+ - containerPort: 80
+ protocol: TCP
+---
+##################################################################################################
+# MAIN
+##################################################################################################
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: main
+ namespace: default
+ labels:
+ app: main
+ version: v1
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: main
+ version: v1
+ template:
+ metadata:
+ labels:
+ app: main
+ version: v1
+ spec:
+ containers:
+ - env:
+ - name: service_name
+ value: main
+ image: registry.gitlab.com/arcadia-application/main-app/mainapp:latest
+ imagePullPolicy: IfNotPresent
+ name: main
+ ports:
+ - containerPort: 80
+ protocol: TCP
+---
+##################################################################################################
+# APP2
+##################################################################################################
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: app2
+ namespace: default
+ labels:
+ app: app2
+ version: v1
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: app2
+ version: v1
+ template:
+ metadata:
+ labels:
+ app: app2
+ version: v1
+ spec:
+ containers:
+ - env:
+ - name: service_name
+ value: app2
+ image: registry.gitlab.com/arcadia-application/app2/app2:latest
+ imagePullPolicy: IfNotPresent
+ name: app2
+ ports:
+ - containerPort: 80
+ protocol: TCP
+---
+##################################################################################################
+# APP3
+##################################################################################################
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: app3
+ namespace: default
+ labels:
+ app: app3
+ version: v1
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: app3
+ version: v1
+ template:
+ metadata:
+ labels:
+ app: app3
+ version: v1
+ spec:
+ containers:
+ - env:
+ - name: service_name
+ value: app3
+ image: registry.gitlab.com/arcadia-application/app3/app3:latest
+ imagePullPolicy: IfNotPresent
+ name: app3
+ ports:
+ - containerPort: 80
+ protocol: TCP
+ resources: {}
+---
\ No newline at end of file
diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-services-cluster-ip.yaml" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-services-cluster-ip.yaml"
new file mode 100644
index 0000000000000000000000000000000000000000..2c5ad01c6b347bc770e056e3f4d46c92055520e8
--- /dev/null
+++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-services-cluster-ip.yaml"
@@ -0,0 +1,79 @@
+##################################################################################################
+# FILES - BACKEND
+##################################################################################################
+apiVersion: v1
+kind: Service
+metadata:
+ name: backend
+ namespace: default
+ labels:
+ app: backend
+ service: backend
+spec:
+ type: ClusterIP
+ ports:
+ - port: 80
+ protocol: TCP
+ targetPort: 80
+ name: backend-80
+ selector:
+ app: backend
+---
+##################################################################################################
+# MAIN
+##################################################################################################
+apiVersion: v1
+kind: Service
+metadata:
+ name: main
+ namespace: default
+ labels:
+ app: main
+ service: main
+spec:
+ type: ClusterIP
+ ports:
+ - name: main-80
+ port: 80
+ protocol: TCP
+ targetPort: 80
+ selector:
+ app: main
+---
+##################################################################################################
+# APP2
+##################################################################################################
+apiVersion: v1
+kind: Service
+metadata:
+ name: app2
+ namespace: default
+ labels:
+ app: app2
+ service: app2
+spec:
+ type: ClusterIP
+ ports:
+ - port: 80
+ name: app2-80
+ selector:
+ app: app2
+---
+##################################################################################################
+# APP3
+##################################################################################################
+apiVersion: v1
+kind: Service
+metadata:
+ name: app3
+ namespace: default
+ labels:
+ app: app3
+ service: app3
+spec:
+ type: ClusterIP
+ ports:
+ - port: 80
+ name: app3-80
+ selector:
+ app: app3
\ No newline at end of file
diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-services-nodeport.yaml" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-services-nodeport.yaml"
new file mode 100644
index 0000000000000000000000000000000000000000..c279f008d0c6ef6e53718271efcd8a37a92f9142
--- /dev/null
+++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-services-nodeport.yaml"
@@ -0,0 +1,84 @@
+##################################################################################################
+# FILES - BACKEND
+##################################################################################################
+apiVersion: v1
+kind: Service
+metadata:
+ name: backend
+ namespace: default
+ labels:
+ app: backend
+ service: backend
+spec:
+ type: NodePort
+ ports:
+ - port: 80
+ nodePort: 30584
+ protocol: TCP
+ targetPort: 80
+ name: backend-80
+ selector:
+ app: backend
+---
+##################################################################################################
+# MAIN
+##################################################################################################
+apiVersion: v1
+kind: Service
+metadata:
+ name: main
+ namespace: default
+ labels:
+ app: main
+ service: main
+spec:
+ type: NodePort
+ ports:
+ - name: main-80
+ nodePort: 30585
+ port: 80
+ protocol: TCP
+ targetPort: 80
+ selector:
+ app: main
+---
+##################################################################################################
+# APP2
+##################################################################################################
+apiVersion: v1
+kind: Service
+metadata:
+ name: app2
+ namespace: default
+ labels:
+ app: app2
+ service: app2
+spec:
+ type: NodePort
+ ports:
+ - port: 80
+ name: app2-80
+ nodePort: 30586
+ protocol: TCP
+ selector:
+ app: app2
+---
+##################################################################################################
+# APP3
+##################################################################################################
+apiVersion: v1
+kind: Service
+metadata:
+ name: app3
+ namespace: default
+ labels:
+ app: app3
+ service: app3
+spec:
+ type: NodePort
+ ports:
+ - port: 80
+ name: app3-80
+ nodePort: 30587
+ selector:
+ app: app3
\ No newline at end of file
diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-virtualserver.yaml" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-virtualserver.yaml"
new file mode 100644
index 0000000000000000000000000000000000000000..85bfd77dc5f1710c20082764cf9488d90d5e73c4
--- /dev/null
+++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/arcadia-virtualserver.yaml"
@@ -0,0 +1,34 @@
+apiVersion: k8s.nginx.org/v1
+kind: VirtualServer
+metadata:
+ name: vs-arcadia
+spec:
+ host: k8s.arcadia-finance.io
+ policies:
+ - name: waf-policy
+ upstreams:
+ - name: main
+ service: main
+ port: 80
+ - name: backend
+ service: backend
+ port: 80
+ - name: app2
+ service: app2
+ port: 80
+ - name: app3
+ service: app3
+ port: 80
+ routes:
+ - path: /
+ action:
+ pass: main
+ - path: /files
+ action:
+ pass: backend
+ - path: /api
+ action:
+ pass: app2
+ - path: /app3
+ action:
+ pass: app3
\ No newline at end of file
diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/waf-policy-dataguard.yaml" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/waf-policy-dataguard.yaml"
new file mode 100644
index 0000000000000000000000000000000000000000..6af1286401c0eb5b858fa3d3123c68b53bf412c0
--- /dev/null
+++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-0-\347\216\257\345\242\203\346\220\255\345\273\272/waf-policy-dataguard.yaml"
@@ -0,0 +1,12 @@
+apiVersion: k8s.nginx.org/v1
+kind: Policy
+metadata:
+ name: waf-policy
+spec:
+ waf:
+ enable: true
+ apPolicy: "default/dataguard-blocking"
+ securityLog:
+ enable: true
+ apLogConf: "default/logconf"
+ logDest: "syslog:server=10.1.20.11:5144"
\ No newline at end of file
diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/1-README_NAP_Deployment.md" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/1-README_NAP_Deployment.md"
new file mode 100644
index 0000000000000000000000000000000000000000..22e8973694bb32c973546b513950c8dcbfd1c453
--- /dev/null
+++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/1-README_NAP_Deployment.md"
@@ -0,0 +1,185 @@
+# 概述
+
+NGINX App Protect(简称NAP)可以对web应用提供WAF防护功能,包括:OWASP Top 10,响应包检查,元字符检查,HTTP协议合规性检查,防逃逸技术,文件类型过滤,JSON、XML和gRPC检查,敏感参数防泄露等。
+
+## 前提条件
+1. NGINX Plus Release 22 及更高版本支持 NGINX App Protect。
+
+2. NGINX App Protect 支持以下操作系统:
+- CentOS/RHEL 7.4.x及更高
+- Debian 9 - (从NGINX Plus R24开始弃用)
+- Debian 10
+- Ubuntu 18.04
+- Ubuntu 20.04
+- Alpine 3.10
+
+3. NGINX App Protect支持的部署环境如下:
+- Linux主机
+- Docker
+- Kubernetes Ingress Controller
+- Cloud
+
+4. 申请好NGINX Plus测试许可。在自己试用账号门户站点里,下载好以下2个文件:
+```
+nginx-repo.key
+nginx-repo.crt
+```
+
+# Lab环境介绍
+
+本章节演示和实验采用在CentOS虚机中部署NGINX App Protect环境,学员可根据自己实际情况准备实验环境。本环境中包含以下组件:
+
+## NGINX Plus反向代理服务器
+后面简称反代,
+
+## Web API Servers
+使用Arcadia应用服务,通过GitLab下载安装:https://gitlab.com/arcadia-application
+
+## 测试客户端
+请预装以下软件,并且为了方便测试,建议在客户端hosts配置测试所用域名。
+- 浏览器
+- Postman
+- Jmeter
+
+# CentOS 7.4+环境的NAP安装步骤
+
+1. 如果前面章节的实验已有相关NGINX包,可以备份相关配置和日志
+```bash
+sudo cp -a /etc/nginx /etc/nginx-plus-backup
+sudo cp -a /var/log/nginx /var/log/nginx-plus-backup
+```
+2. 创建/etc/ssl/nginx/目录和/etc/nginx/目录
+```bash
+sudo mkdir -p /etc/ssl/nginx
+sudo mkdir -p /etc/nginx
+```
+3. 将以上《前提条件》中申请的测试许可从门户站点中下载好,并复制到/etc/ssl/nginx/目录下。
+
+4. 安装必备软件包
+```bash
+sudo yum install ca-certificates epel-release wget
+```
+5. 添加NGINX Plus库
+```bash
+sudo wget -P /etc/yum.repos.d https://cs.nginx.com/static/files/nginx-plus-7.repo
+```
+6.安装最新版本的NGINX App Protect软件包(包括NGINX Plus)
+```bash
+sudo yum install app-protect
+```
+注:也可以通过以下命令列出可用版本:
+```bash
+sudo yum --showduplicates list app-protect
+```
+从而选择指定版本进行安装,例如:
+```bash
+sudo yum install app-protect-20+2.52.1
+```
+7. 检查 NGINX 二进制版本以确保正确安装了 NGINX Plus
+```bash
+sudo nginx -v
+```
+8. 配置nginx,以下二选一。
+- 可以将Gitee中<11 NGINX Web与API安全>目录下的nginx.conf文件拷贝至/etc/nginx/目录
+- 或者直接vi将如下配置文件内容粘贴至/etc/nginx/nginx.conf中:
+```nginx
+user nginx;
+worker_processes auto;
+
+error_log /var/log/nginx/error.log notice;
+
+# load the app protect module
+load_module modules/ngx_http_app_protect_module.so;
+
+events {
+ worker_connections 1024;
+}
+
+http {
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+ sendfile on;
+ keepalive_timeout 65;
+
+ log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+ '$status $body_bytes_sent "$http_referer" '
+ '"$http_user_agent" "$http_x_forwarded_for"';
+
+ # note that in the dockerfile, the logs are redirected to stdout and can be viewed with `docker logs`
+ access_log /var/log/nginx/access.log main;
+
+ server {
+ listen 80;
+ server_name localhost;
+ proxy_http_version 1.1;
+ proxy_cache_bypass $http_upgrade;
+
+ proxy_set_header Host $host;
+
+ proxy_set_header X-Forwarded-Server $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_ignore_client_abort on;
+
+ app_protect_enable on;
+ app_protect_security_log_enable on;
+ # send the logs to the logstash instance on our ELK stack.
+ app_protect_security_log "/etc/app_protect/conf/log_default.json" syslog:server=10.1.1.11:5144;
+
+ # main service
+ location / {
+ resolver 10.1.1.8:5353;
+ resolver_timeout 5s;
+ client_max_body_size 0;
+ default_type text/html;
+ proxy_pass http://k8s.arcadia-finance.io:30585$request_uri;
+ }
+
+ # backend service
+ location /files {
+ resolver 10.1.1.8:5353;
+ resolver_timeout 5s;
+ client_max_body_size 0;
+ default_type text/html;
+ proxy_pass http://k8s.arcadia-finance.io:30584$request_uri;
+ }
+
+ # app2 service
+ location /api {
+ resolver 10.1.1.8:5353;
+ resolver_timeout 5s;
+ client_max_body_size 0;
+ default_type text/html;
+ proxy_pass http://k8s.arcadia-finance.io:30586$request_uri;
+ }
+
+ # app2 service
+ location /app3 {
+ resolver 10.1.1.8:5353;
+ resolver_timeout 5s;
+ client_max_body_size 0;
+ default_type text/html;
+ proxy_pass http://k8s.arcadia-finance.io:30587$request_uri;
+ }
+ }
+}
+```
+9. 关闭SELinux,允许全局访问
+```bash
+sudo setenforce 0
+```
+10. 启用并启动NGINX服务
+```bash
+sudo systemctl enable --now nginx.service
+```
+11. 检查运行是否正常
+```bash
+systemctl status nginx
+```
+可以看到nginx的服务已经是active的状态。
+
+---
+至此,就完成了NAP的安装和初始化相关工作。🍺
+---
diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_OWASP Top 10.md" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_OWASP Top 10.md"
new file mode 100644
index 0000000000000000000000000000000000000000..ed52b3ca1404216828ec6d2710221cdf3fd6c155
--- /dev/null
+++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/2-README_OWASP Top 10.md"
@@ -0,0 +1,534 @@
+# OWASP Top 10防护
+
+## 相关配置文件列表
+
+```
+nginx.conf
+policy_owasp_top10.json
+```
+
+
+# 测试工具
+
+- 浏览器
+- 模拟攻击脚本规则
+
+---
+
+# 模拟攻击测试
+
+
+## SQL注入防护
+
+1. 浏览器输入:
+```
+http://centos.arcadia-finance.io/?hfsagrs=-1+union+select+user%2Cpassword+from+users+--+
+```
+2. 请求被NAP阻断,阻断信息及support ID: 18029559235433355204:
+
+
+
+3. 攻击防护相关log信息:
+
+```json
+
+{
+ "_index": "waf-logs-2021.10.10",
+ "_type": "_doc",
+ "_id": "PkXKaHwBMIwAeeuRM3s4",
+ "_version": 1,
+ "_score": null,
+ "_source": {
+ "request_status": "blocked",
+ "severity": 2,
+ "bot_category": "Non-BOT",
+ "violation_details": "10000000200c00-3a03030c30000072477f0ffcbbd0fea-befbf35cb000007e0-00-042VIOL_ATTACK_SIGNATUREparameterglobalaGZzYWdycw==alpha-numericLTEgdW5pb24gc2VsZWN0IHVzZXIscGFzc3dvcmQgZnJvbSB1c2VycyAtLSA=*002000025532aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==8152000000733aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==11402000027362aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==9142000000822aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==17342000025532aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==8152000000733aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==11402000027362aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==9142000000822aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==1734",
+ "uri": "/",
+ "bot_signature_name": "N/A",
+ "violations": [
+ "Attack signature detected",
+ "Violation Rating Threat detected"
+ ],
+ "ip_client": "10.1.1.13",
+ "src_port": "60422",
+ "message": "ASM:attack_type=\"Non-browser Client,SQL-Injection\",blocking_exception_reason=\"N/A\",date_time=\"2021-10-10 06:00:52\",dest_port=\"80\",ip_client=\"10.1.1.13\",is_truncated=\"false\",method=\"GET\",policy_name=\"app_protect_default_policy\",protocol=\"HTTP\",request_status=\"blocked\",response_code=\"0\",severity=\"Critical\",sig_cves=\"N/A\",sig_ids=\"200002553,200000073,200002736,200000082\",sig_names=\"SQL-INJ integer field UNION (Parameter),SQL-INJ \"\"UNION SELECT\"\" (Parameter),SQL-INJ ' UNION SELECT (Parameter)...\",sig_set_names=\"{SQL Injection Signatures},{High Accuracy Signatures;SQL Injection Signatures},{SQL Injection Signatures}...\",src_port=\"60422\",sub_violations=\"N/A\",support_id=\"18029559235433355204\",threat_campaign_names=\"N/A\",unit_hostname=\"c68206ac-6bd7-49d0-ad95-d7b1ccb15787\",uri=\"/\",violation_rating=\"5\",vs_name=\"26-localhost:1-/\",x_forwarded_for_header_value=\"N/A\",outcome=\"REJECTED\",outcome_reason=\"SECURITY_WAF_VIOLATION\",violations=\"Attack signature detected,Violation Rating Threat detected\",violation_details=\"10000000200c00-3a03030c30000072477f0ffcbbd0fea-befbf35cb000007e0-00-042VIOL_ATTACK_SIGNATUREparameterglobalaGZzYWdycw==alpha-numericLTEgdW5pb24gc2VsZWN0IHVzZXIscGFzc3dvcmQgZnJvbSB1c2VycyAtLSA=*002000025532aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==8152000000733aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==11402000027362aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==9142000000822aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==17342000025532aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==8152000000733aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==11402000027362aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==9142000000822aGZzYWdycz0tMSB1bmlvbiBzZWxlY3QgdXNlcixwYXNzd29yZCBmcm9tIHVzZXJzIC0tIA==1734\",bot_signature_name=\"N/A\",bot_category=\"N/A\",bot_anomalies=\"N/A\",enforced_bot_anomalies=\"N/A\",client_class=\"Browser\",client_application=\"FireFox\",client_application_version=\"94\",request=\"GET /?hfsagrs=-1+union+select+user%2Cpassword+from+users+--+ HTTP/1.1\\r\\nHost: centos.arcadia-finance.io\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nConnection: keep-alive\\r\\nUpgrade-Insecure-Requests: 1\\r\\n\\r\\n\",transport_protocol=\"HTTP/1.1\"\r\n",
+ "sig_set_names": [
+ "{SQL Injection Signatures}",
+ "{High Accuracy Signatures;SQL Injection Signatures}",
+ "{SQL Injection Signatures}..."
+ ],
+ "priority": 130,
+ "timestamp": "Oct 10 06:00:53",
+ "sig_cves": [
+ "N/A"
+ ],
+ "x_forwarded_for_header_value": "N/A",
+ "source_host": "10.1.1.13",
+ "request": "GET /?hfsagrs=-1+union+select+user%2Cpassword+from+users+--+ HTTP/1.1\\r\\nHost: centos.arcadia-finance.io\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nConnection: keep-alive\\r\\nUpgrade-Insecure-Requests: 1\\r\\n\\r\\n",
+ "violation_rating": "5",
+ "geoip": {},
+ "unit_hostname": "c68206ac-6bd7-49d0-ad95-d7b1ccb15787",
+ "dest_port": "80",
+ "outcome_reason": "SECURITY_WAF_VIOLATION",
+ "tags": [
+ "waf",
+ "_geoip_lookup_failure"
+ ],
+ "host": "10.1.1.9",
+ "facility": 16,
+ "date_time": "2021-10-10 06:00:52",
+ "sub_violations": [
+ "N/A"
+ ],
+ "logsource": "c68206ac-6bd7-49d0-ad95-d7b1ccb15787",
+ "facility_label": "local0",
+ "blocking_exception_reason": "N/A",
+ "@timestamp": "2021-10-10T06:00:53.000Z",
+ "severity_label": "Critical",
+ "is_truncated": "false",
+ "method": "GET",
+ "policy_name": "app_protect_default_policy",
+ "client_class": "Browser",
+ "protocol": "HTTP",
+ "support_id": "18029559235433355204",
+ "@version": "1",
+ "sig_ids": [
+ "200002553",
+ "200000073",
+ "200002736",
+ "200000082"
+ ],
+ "vs_name": "26-localhost:1-/",
+ "outcome": "REJECTED",
+ "bot_anomalies": [
+ "N/A"
+ ],
+ "response_code": "Blocked",
+ "sig_names": [
+ "SQL-INJ integer field UNION (Parameter)",
+ "SQL-INJ "
+ ]
+ },
+ "fields": {
+ "@timestamp": [
+ "2021-10-10T06:00:53.000Z"
+ ]
+ },
+ "sort": [
+ 1633845653000
+ ]
+}
+```
+
+
+---
+
+
+## Remote File Include (RFI)远程文件包含防护
+
+解释:
+```
+攻击者利用包含的特性,加上应用本身对文件(包含)控制不严格,最终造成攻击者进行任意文件包含。
+包含的文件内容会被当成PHP脚本文件来解析,从而攻击者可以在包含文件里面使用恶意脚本。
+```
+
+1. 浏览器输入:
+```
+http://centos.arcadia-finance.io/?hfsagrs=php%3A%2F%2Ffilter%2Fresource%3Dhttp%3A%2F%2Fgoogle.com%2Fsearch
+```
+2. 请求被NAP阻断,阻断信息及support ID: 302917768469178547:
+
+
+
+3. 攻击防护相关log信息:
+
+```json
+{
+ "_index": "waf-logs-2021.10.10",
+ "_type": "_doc",
+ "_id": "P0XQaHwBMIwAeeuRXXtZ",
+ "_version": 1,
+ "_score": null,
+ "_source": {
+ "request_status": "blocked",
+ "severity": 3,
+ "bot_category": "Non-BOT",
+ "violation_details": "10000000200c00-3a03030c30000072477f0ffcbbd0fea-befbf35cb000007e0-00-042VIOL_ATTACK_SIGNATUREparameterglobalaGZzYWdycw==alpha-numericcGhwOi8vZmlsdGVyL3Jlc291cmNlPWh0dHA6Ly9nb29nbGUuY29tL3NlYXJjaA==*002000220133aGZzYWdycz1waHA6Ly9maWx0ZXIvcmVzb3VyY2U9aHR0cDovL2dvb2dsZS5jb20vc2VhcmNo812",
+ "uri": "/",
+ "bot_signature_name": "N/A",
+ "violations": [
+ "Attack signature detected"
+ ],
+ "ip_client": "10.1.1.13",
+ "src_port": "60432",
+ "message": "ASM:attack_type=\"Remote File Include\",blocking_exception_reason=\"N/A\",date_time=\"2021-10-10 06:07:38\",dest_port=\"80\",ip_client=\"10.1.1.13\",is_truncated=\"false\",method=\"GET\",policy_name=\"app_protect_default_policy\",protocol=\"HTTP\",request_status=\"blocked\",response_code=\"0\",severity=\"Error\",sig_cves=\"N/A\",sig_ids=\"200022013\",sig_names=\"PHP remote file include attempt - filter\",sig_set_names=\"{High Accuracy Signatures;Remote File Include Signatures}\",src_port=\"60432\",sub_violations=\"N/A\",support_id=\"302917768469178547\",threat_campaign_names=\"N/A\",unit_hostname=\"c68206ac-6bd7-49d0-ad95-d7b1ccb15787\",uri=\"/\",violation_rating=\"3\",vs_name=\"26-localhost:1-/\",x_forwarded_for_header_value=\"N/A\",outcome=\"REJECTED\",outcome_reason=\"SECURITY_WAF_VIOLATION\",violations=\"Attack signature detected\",violation_details=\"10000000200c00-3a03030c30000072477f0ffcbbd0fea-befbf35cb000007e0-00-042VIOL_ATTACK_SIGNATUREparameterglobalaGZzYWdycw==alpha-numericcGhwOi8vZmlsdGVyL3Jlc291cmNlPWh0dHA6Ly9nb29nbGUuY29tL3NlYXJjaA==*002000220133aGZzYWdycz1waHA6Ly9maWx0ZXIvcmVzb3VyY2U9aHR0cDovL2dvb2dsZS5jb20vc2VhcmNo812\",bot_signature_name=\"N/A\",bot_category=\"N/A\",bot_anomalies=\"N/A\",enforced_bot_anomalies=\"N/A\",client_class=\"Browser\",client_application=\"FireFox\",client_application_version=\"94\",request=\"GET /?hfsagrs=php%3A%2F%2Ffilter%2Fresource%3Dhttp%3A%2F%2Fgoogle.com%2Fsearch HTTP/1.1\\r\\nHost: centos.arcadia-finance.io\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nConnection: keep-alive\\r\\nUpgrade-Insecure-Requests: 1\\r\\n\\r\\n\",transport_protocol=\"HTTP/1.1\"\r\n",
+ "sig_set_names": [
+ "{High Accuracy Signatures;Remote File Include Signatures}"
+ ],
+ "priority": 131,
+ "timestamp": "Oct 10 06:07:38",
+ "sig_cves": [
+ "N/A"
+ ],
+ "x_forwarded_for_header_value": "N/A",
+ "source_host": "10.1.1.13",
+ "request": "GET /?hfsagrs=php%3A%2F%2Ffilter%2Fresource%3Dhttp%3A%2F%2Fgoogle.com%2Fsearch HTTP/1.1\\r\\nHost: centos.arcadia-finance.io\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nConnection: keep-alive\\r\\nUpgrade-Insecure-Requests: 1\\r\\n\\r\\n",
+ "violation_rating": "3",
+ "geoip": {},
+ "unit_hostname": "c68206ac-6bd7-49d0-ad95-d7b1ccb15787",
+ "dest_port": "80",
+ "outcome_reason": "SECURITY_WAF_VIOLATION",
+ "tags": [
+ "waf",
+ "_geoip_lookup_failure"
+ ],
+ "host": "10.1.1.9",
+ "facility": 16,
+ "date_time": "2021-10-10 06:07:38",
+ "sub_violations": [
+ "N/A"
+ ],
+ "logsource": "c68206ac-6bd7-49d0-ad95-d7b1ccb15787",
+ "facility_label": "local0",
+ "blocking_exception_reason": "N/A",
+ "@timestamp": "2021-10-10T06:07:38.000Z",
+ "severity_label": "Error",
+ "is_truncated": "false",
+ "method": "GET",
+ "policy_name": "app_protect_default_policy",
+ "client_class": "Browser",
+ "protocol": "HTTP",
+ "support_id": "302917768469178547",
+ "@version": "1",
+ "sig_ids": [
+ "200022013"
+ ],
+ "vs_name": "26-localhost:1-/",
+ "outcome": "REJECTED",
+ "bot_anomalies": [
+ "N/A"
+ ],
+ "response_code": "Blocked",
+ "sig_names": [
+ "PHP remote file include attempt - filter"
+ ]
+ },
+ "fields": {
+ "@timestamp": [
+ "2021-10-10T06:07:38.000Z"
+ ]
+ },
+ "sort": [
+ 1633846058000
+ ]
+}
+```
+
+
+---
+
+## 路径遍历防护
+
+1. 浏览器输入:
+```
+http://centos.arcadia-finance.io/lua/login.lua?referer=google.com%2F&hfsagrs=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
+```
+2. 请求被NAP阻断,阻断信息及support ID: 18029559235433355714:
+
+
+
+3. 攻击防护相关log信息:
+
+```json
+{
+ "_index": "waf-logs-2021.10.10",
+ "_type": "_doc",
+ "_id": "QkXaaHwBMIwAeeuRPntr",
+ "_version": 1,
+ "_score": null,
+ "_source": {
+ "request_status": "blocked",
+ "severity": 2,
+ "bot_category": "Non-BOT",
+ "violation_details": "10000000000c00-3a03030c30000072477f0ffcbbd0fea-befbf35cb000007e0-00-042VIOL_ATTACK_SIGNATUREparameterglobalaGZzYWdycw==alpha-numericLy4uLy4uLy4uLy4uLy4uLy4uLy4uLy4uL2V0Yy9wYXNzd2Q=*002000001902aGZzYWdycz0vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA==932000030542aGZzYWdycz0vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA==3072000039092aGZzYWdycz0vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA==3211",
+ "uri": "/lua/login.lua",
+ "bot_signature_name": "N/A",
+ "violations": [
+ "Attack signature detected",
+ "Violation Rating Threat detected"
+ ],
+ "ip_client": "10.1.1.13",
+ "src_port": "62546",
+ "message": "ASM:attack_type=\"Non-browser Client,Predictable Resource Location,Path Traversal\",blocking_exception_reason=\"N/A\",date_time=\"2021-10-10 06:18:24\",dest_port=\"80\",ip_client=\"10.1.1.13\",is_truncated=\"false\",method=\"GET\",policy_name=\"app_protect_default_policy\",protocol=\"HTTP\",request_status=\"blocked\",response_code=\"0\",severity=\"Critical\",sig_cves=\"N/A\",sig_ids=\"200000190,200003054,200003909\",sig_names=\"Directory Traversal attempt (parameter),Directory Traversal attempt (../etc/) (Parameter),\"\"/etc/passwd\"\" access (Parameter)\",sig_set_names=\"{Path Traversal Signatures},{Path Traversal Signatures},{Predictable Resource Location Signatures}\",src_port=\"62546\",sub_violations=\"N/A\",support_id=\"18029559235433355714\",threat_campaign_names=\"N/A\",unit_hostname=\"c68206ac-6bd7-49d0-ad95-d7b1ccb15787\",uri=\"/lua/login.lua\",violation_rating=\"5\",vs_name=\"26-localhost:1-/\",x_forwarded_for_header_value=\"N/A\",outcome=\"REJECTED\",outcome_reason=\"SECURITY_WAF_VIOLATION\",violations=\"Attack signature detected,Violation Rating Threat detected\",violation_details=\"10000000000c00-3a03030c30000072477f0ffcbbd0fea-befbf35cb000007e0-00-042VIOL_ATTACK_SIGNATUREparameterglobalaGZzYWdycw==alpha-numericLy4uLy4uLy4uLy4uLy4uLy4uLy4uLy4uL2V0Yy9wYXNzd2Q=*002000001902aGZzYWdycz0vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA==932000030542aGZzYWdycz0vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA==3072000039092aGZzYWdycz0vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA==3211\",bot_signature_name=\"N/A\",bot_category=\"N/A\",bot_anomalies=\"N/A\",enforced_bot_anomalies=\"N/A\",client_class=\"Browser\",client_application=\"FireFox\",client_application_version=\"94\",request=\"GET /lua/login.lua?referer=google.com%2F&hfsagrs=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1\\r\\nHost: centos.arcadia-finance.io\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nConnection: keep-alive\\r\\nUpgrade-Insecure-Requests: 1\\r\\n\\r\\n\",transport_protocol=\"HTTP/1.1\"\r\n",
+ "sig_set_names": [
+ "{Path Traversal Signatures}",
+ "{Path Traversal Signatures}",
+ "{Predictable Resource Location Signatures}"
+ ],
+ "priority": 130,
+ "timestamp": "Oct 10 06:18:25",
+ "sig_cves": [
+ "N/A"
+ ],
+ "x_forwarded_for_header_value": "N/A",
+ "source_host": "10.1.1.13",
+ "request": "GET /lua/login.lua?referer=google.com%2F&hfsagrs=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1\\r\\nHost: centos.arcadia-finance.io\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nConnection: keep-alive\\r\\nUpgrade-Insecure-Requests: 1\\r\\n\\r\\n",
+ "violation_rating": "5",
+ "geoip": {},
+ "unit_hostname": "c68206ac-6bd7-49d0-ad95-d7b1ccb15787",
+ "dest_port": "80",
+ "outcome_reason": "SECURITY_WAF_VIOLATION",
+ "tags": [
+ "waf",
+ "_geoip_lookup_failure"
+ ],
+ "host": "10.1.1.9",
+ "facility": 16,
+ "date_time": "2021-10-10 06:18:24",
+ "sub_violations": [
+ "N/A"
+ ],
+ "logsource": "c68206ac-6bd7-49d0-ad95-d7b1ccb15787",
+ "facility_label": "local0",
+ "blocking_exception_reason": "N/A",
+ "@timestamp": "2021-10-10T06:18:25.000Z",
+ "severity_label": "Critical",
+ "is_truncated": "false",
+ "method": "GET",
+ "policy_name": "app_protect_default_policy",
+ "client_class": "Browser",
+ "protocol": "HTTP",
+ "support_id": "18029559235433355714",
+ "@version": "1",
+ "sig_ids": [
+ "200000190",
+ "200003054",
+ "200003909"
+ ],
+ "vs_name": "26-localhost:1-/",
+ "outcome": "REJECTED",
+ "bot_anomalies": [
+ "N/A"
+ ],
+ "response_code": "Blocked",
+ "sig_names": [
+ "Directory Traversal attempt (parameter)",
+ "Directory Traversal attempt (../etc/) (Parameter)"
+ ]
+ },
+ "fields": {
+ "@timestamp": [
+ "2021-10-10T06:18:25.000Z"
+ ]
+ },
+ "sort": [
+ 1633846705000
+ ]
+}
+```
+
+---
+
+## Cross Site Scripting防护
+
+1. 浏览器输入:
+```
+http://centos.arcadia-finance.io/lua/login.lua?referer=google.com%2F&hfsagrs=+oNmouseoVer%3Dbfet%28%29+
+```
+2. 请求被NAP阻断,阻断信息及support ID: 18029559235433356224:
+
+
+
+3. 攻击防护相关log信息:
+
+```json
+{
+ "_index": "waf-logs-2021.10.10",
+ "_type": "_doc",
+ "_id": "Q0XhaHwBMIwAeeuRSXvX",
+ "_version": 1,
+ "_score": null,
+ "_source": {
+ "request_status": "blocked",
+ "severity": 2,
+ "bot_category": "Non-BOT",
+ "violation_details": "10000000200c00-3a03030c30000072477f0ffcbbd0fea-befbf35cb000007e0-00-042VIOL_ATTACK_SIGNATUREparameterglobalaGZzYWdycw==alpha-numericIG9ObW91c2VvVmVyPWJmZXQoKSA=*002000010013aGZzYWdycz0gb05tb3VzZW9WZXI9YmZldCgpIA==9122001011623aGZzYWdycz0gb05tb3VzZW9WZXI9YmZldCgpIA==9122000010013aGZzYWdycz0gb05tb3VzZW9WZXI9YmZldCgpIA==9122001011623aGZzYWdycz0gb05tb3VzZW9WZXI9YmZldCgpIA==912",
+ "uri": "/lua/login.lua",
+ "bot_signature_name": "N/A",
+ "violations": [
+ "Attack signature detected",
+ "Violation Rating Threat detected"
+ ],
+ "ip_client": "10.1.1.13",
+ "src_port": "62556",
+ "message": "ASM:attack_type=\"Non-browser Client,Cross Site Scripting (XSS)\",blocking_exception_reason=\"N/A\",date_time=\"2021-10-10 06:26:07\",dest_port=\"80\",ip_client=\"10.1.1.13\",is_truncated=\"false\",method=\"GET\",policy_name=\"app_protect_default_policy\",protocol=\"HTTP\",request_status=\"blocked\",response_code=\"0\",severity=\"Critical\",sig_cves=\"N/A\",sig_ids=\"200001001,200101162\",sig_names=\"onmouse... (Parameter),onmouseover (Parameter)\",sig_set_names=\"{Cross Site Scripting Signatures;High Accuracy Signatures},{Cross Site Scripting Signatures;High Accuracy Signatures}\",src_port=\"62556\",sub_violations=\"N/A\",support_id=\"18029559235433356224\",threat_campaign_names=\"N/A\",unit_hostname=\"c68206ac-6bd7-49d0-ad95-d7b1ccb15787\",uri=\"/lua/login.lua\",violation_rating=\"5\",vs_name=\"26-localhost:1-/\",x_forwarded_for_header_value=\"N/A\",outcome=\"REJECTED\",outcome_reason=\"SECURITY_WAF_VIOLATION\",violations=\"Attack signature detected,Violation Rating Threat detected\",violation_details=\"10000000200c00-3a03030c30000072477f0ffcbbd0fea-befbf35cb000007e0-00-042VIOL_ATTACK_SIGNATUREparameterglobalaGZzYWdycw==alpha-numericIG9ObW91c2VvVmVyPWJmZXQoKSA=*002000010013aGZzYWdycz0gb05tb3VzZW9WZXI9YmZldCgpIA==9122001011623aGZzYWdycz0gb05tb3VzZW9WZXI9YmZldCgpIA==9122000010013aGZzYWdycz0gb05tb3VzZW9WZXI9YmZldCgpIA==9122001011623aGZzYWdycz0gb05tb3VzZW9WZXI9YmZldCgpIA==912\",bot_signature_name=\"N/A\",bot_category=\"N/A\",bot_anomalies=\"N/A\",enforced_bot_anomalies=\"N/A\",client_class=\"Browser\",client_application=\"FireFox\",client_application_version=\"94\",request=\"GET /lua/login.lua?referer=google.com%2F&hfsagrs=+oNmouseoVer%3Dbfet%28%29+ HTTP/1.1\\r\\nHost: centos.arcadia-finance.io\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nConnection: keep-alive\\r\\nUpgrade-Insecure-Requests: 1\\r\\n\\r\\n\",transport_protocol=\"HTTP/1.1\"\r\n",
+ "sig_set_names": [
+ "{Cross Site Scripting Signatures;High Accuracy Signatures}",
+ "{Cross Site Scripting Signatures;High Accuracy Signatures}"
+ ],
+ "priority": 130,
+ "timestamp": "Oct 10 06:26:07",
+ "sig_cves": [
+ "N/A"
+ ],
+ "x_forwarded_for_header_value": "N/A",
+ "source_host": "10.1.1.13",
+ "request": "GET /lua/login.lua?referer=google.com%2F&hfsagrs=+oNmouseoVer%3Dbfet%28%29+ HTTP/1.1\\r\\nHost: centos.arcadia-finance.io\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nConnection: keep-alive\\r\\nUpgrade-Insecure-Requests: 1\\r\\n\\r\\n",
+ "violation_rating": "5",
+ "geoip": {},
+ "unit_hostname": "c68206ac-6bd7-49d0-ad95-d7b1ccb15787",
+ "dest_port": "80",
+ "outcome_reason": "SECURITY_WAF_VIOLATION",
+ "tags": [
+ "waf",
+ "_geoip_lookup_failure"
+ ],
+ "host": "10.1.1.9",
+ "facility": 16,
+ "date_time": "2021-10-10 06:26:07",
+ "sub_violations": [
+ "N/A"
+ ],
+ "logsource": "c68206ac-6bd7-49d0-ad95-d7b1ccb15787",
+ "facility_label": "local0",
+ "blocking_exception_reason": "N/A",
+ "@timestamp": "2021-10-10T06:26:07.000Z",
+ "severity_label": "Critical",
+ "is_truncated": "false",
+ "method": "GET",
+ "policy_name": "app_protect_default_policy",
+ "client_class": "Browser",
+ "protocol": "HTTP",
+ "support_id": "18029559235433356224",
+ "@version": "1",
+ "sig_ids": [
+ "200001001",
+ "200101162"
+ ],
+ "vs_name": "26-localhost:1-/",
+ "outcome": "REJECTED",
+ "bot_anomalies": [
+ "N/A"
+ ],
+ "response_code": "Blocked",
+ "sig_names": [
+ "onmouse... (Parameter)",
+ "onmouseover (Parameter)"
+ ]
+ },
+ "fields": {
+ "@timestamp": [
+ "2021-10-10T06:26:07.000Z"
+ ]
+ },
+ "sort": [
+ 1633847167000
+ ]
+}
+```
+
+---
+
+## Multiple decoding多次解码防护
+
+1. 浏览器输入:
+```
+http://centos.arcadia-finance.io/three_decodin%2525252567.html
+```
+2. 请求被NAP告警,告警信息及support ID: 302917768469183137:
+
+
+
+3. 攻击防护相关log信息:
+
+```json
+{
+ "_index": "waf-logs-2021.10.10",
+ "_type": "_doc",
+ "_id": "TEX3aHwBMIwAeeuRSXur",
+ "_version": 1,
+ "_score": null,
+ "_source": {
+ "request_status": "alerted",
+ "severity": 2,
+ "bot_category": "Non-BOT",
+ "violation_details": "10000000000c00-3a03030c30000072577f0ffcb9d0fea-befbf35cb000007e0-00-07VIOL_EVASIONuriL3RocmVlX2RlY29kaW4lMjUyNTI1MjU2OC5odG1s14716",
+ "uri": "/three_decodin%2568.html",
+ "bot_signature_name": "N/A",
+ "violations": [
+ "Evasion technique detected"
+ ],
+ "ip_client": "10.1.1.13",
+ "src_port": "55122",
+ "message": "ASM:attack_type=\"Detection Evasion\",blocking_exception_reason=\"N/A\",date_time=\"2021-10-10 06:50:08\",dest_port=\"80\",ip_client=\"10.1.1.13\",is_truncated=\"false\",method=\"GET\",policy_name=\"app_protect_default_policy\",protocol=\"HTTP\",request_status=\"alerted\",response_code=\"404\",severity=\"Critical\",sig_cves=\"N/A\",sig_ids=\"N/A\",sig_names=\"N/A\",sig_set_names=\"N/A\",src_port=\"55122\",sub_violations=\"Evasion technique detected:Multiple decoding\",support_id=\"302917768469183137\",threat_campaign_names=\"N/A\",unit_hostname=\"c68206ac-6bd7-49d0-ad95-d7b1ccb15787\",uri=\"/three_decodin%2568.html\",violation_rating=\"2\",vs_name=\"26-localhost:1-/\",x_forwarded_for_header_value=\"N/A\",outcome=\"PASSED\",outcome_reason=\"SECURITY_WAF_FLAGGED\",violations=\"Evasion technique detected\",violation_details=\"10000000000c00-3a03030c30000072577f0ffcb9d0fea-befbf35cb000007e0-00-07VIOL_EVASIONuriL3RocmVlX2RlY29kaW4lMjUyNTI1MjU2OC5odG1s14716\",bot_signature_name=\"N/A\",bot_category=\"N/A\",bot_anomalies=\"N/A\",enforced_bot_anomalies=\"N/A\",client_class=\"Browser\",client_application=\"FireFox\",client_application_version=\"94\",request=\"GET /three_decodin%2525252568.html HTTP/1.1\\r\\nHost: centos.arcadia-finance.io\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nConnection: keep-alive\\r\\nCookie: PHPSESSID=9pucfgkfrtk71i9dvmo072jokn\\r\\nUpgrade-Insecure-Requests: 1\\r\\n\\r\\n\",transport_protocol=\"HTTP/1.1\"\r\n",
+ "sig_set_names": [
+ "N/A"
+ ],
+ "priority": 130,
+ "timestamp": "Oct 10 06:50:09",
+ "sig_cves": [
+ "N/A"
+ ],
+ "x_forwarded_for_header_value": "N/A",
+ "source_host": "10.1.1.13",
+ "request": "GET /three_decodin%2525252568.html HTTP/1.1\\r\\nHost: centos.arcadia-finance.io\\r\\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0\\r\\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\\r\\nAccept-Language: en-US,en;q=0.5\\r\\nAccept-Encoding: gzip, deflate\\r\\nConnection: keep-alive\\r\\nCookie: PHPSESSID=9pucfgkfrtk71i9dvmo072jokn\\r\\nUpgrade-Insecure-Requests: 1\\r\\n\\r\\n",
+ "violation_rating": "2",
+ "geoip": {},
+ "unit_hostname": "c68206ac-6bd7-49d0-ad95-d7b1ccb15787",
+ "dest_port": "80",
+ "outcome_reason": "SECURITY_WAF_FLAGGED",
+ "tags": [
+ "waf",
+ "_geoip_lookup_failure"
+ ],
+ "host": "10.1.1.9",
+ "facility": 16,
+ "date_time": "2021-10-10 06:50:08",
+ "sub_violations": [
+ "Evasion technique detected:Multiple decoding"
+ ],
+ "logsource": "c68206ac-6bd7-49d0-ad95-d7b1ccb15787",
+ "facility_label": "local0",
+ "blocking_exception_reason": "N/A",
+ "@timestamp": "2021-10-10T06:50:09.000Z",
+ "severity_label": "Critical",
+ "is_truncated": "false",
+ "method": "GET",
+ "policy_name": "app_protect_default_policy",
+ "client_class": "Browser",
+ "protocol": "HTTP",
+ "support_id": "302917768469183137",
+ "@version": "1",
+ "sig_ids": [
+ "N/A"
+ ],
+ "vs_name": "26-localhost:1-/",
+ "outcome": "PASSED",
+ "bot_anomalies": [
+ "N/A"
+ ],
+ "response_code": "404",
+ "sig_names": [
+ "N/A"
+ ]
+ },
+ "fields": {
+ "@timestamp": [
+ "2021-10-10T06:50:09.000Z"
+ ]
+ },
+ "sort": [
+ 1633848609000
+ ]
+}
+```
+
+---
+本章节Lab主要介绍了NAP对OWASP Top 10常见攻击的防护,大家可以多测试不同的攻击策略以及调整NAP的防护策略。🍺
+---
+
+
+
+
+
+
diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/README.md" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/README.md"
new file mode 100644
index 0000000000000000000000000000000000000000..07676877edb2161111ae31f70efa9cc64464f8e7
--- /dev/null
+++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/README.md"
@@ -0,0 +1,12 @@
+# 本章节Lab实验简介
+
+## Lab顺序
+
+### Step-1:NAP部署
+
+### Step-2:OWASP Top 10测试
+
+---
+注:
+- NAP部署手册请参考《1-README_NAP_Deployment.md》
+- OWASP Top 10测试手册请参考《1-README_OWASP Top 10.md》
\ No newline at end of file
diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/nginx.conf" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/nginx.conf"
new file mode 100644
index 0000000000000000000000000000000000000000..6f04469a51a0b728579b6e5ccede9b8858f63132
--- /dev/null
+++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/nginx.conf"
@@ -0,0 +1,82 @@
+user nginx;
+worker_processes auto;
+
+error_log /var/log/nginx/error.log notice;
+
+# load the app protect module
+load_module modules/ngx_http_app_protect_module.so;
+
+events {
+ worker_connections 1024;
+}
+
+http {
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+ sendfile on;
+ keepalive_timeout 65;
+
+ log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+ '$status $body_bytes_sent "$http_referer" '
+ '"$http_user_agent" "$http_x_forwarded_for"';
+
+ # note that in the dockerfile, the logs are redirected to stdout and can be viewed with `docker logs`
+ access_log /var/log/nginx/access.log main;
+
+ server {
+ listen 80;
+ server_name localhost;
+ proxy_http_version 1.1;
+ proxy_cache_bypass $http_upgrade;
+
+ proxy_set_header Host $host;
+
+ proxy_set_header X-Forwarded-Server $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_ignore_client_abort on;
+
+ app_protect_enable on;
+ app_protect_security_log_enable on;
+ # send the logs to the logstash instance on our ELK stack.
+ app_protect_security_log "/etc/app_protect/conf/log_default.json" syslog:server=10.1.1.11:5144;
+
+ # main service
+ location / {
+ resolver 10.1.1.8:5353;
+ resolver_timeout 5s;
+ client_max_body_size 0;
+ default_type text/html;
+ proxy_pass http://k8s.arcadia-finance.io:30585$request_uri;
+ }
+
+ # backend service
+ location /files {
+ resolver 10.1.1.8:5353;
+ resolver_timeout 5s;
+ client_max_body_size 0;
+ default_type text/html;
+ proxy_pass http://k8s.arcadia-finance.io:30584$request_uri;
+ }
+
+ # app2 service
+ location /api {
+ resolver 10.1.1.8:5353;
+ resolver_timeout 5s;
+ client_max_body_size 0;
+ default_type text/html;
+ proxy_pass http://k8s.arcadia-finance.io:30586$request_uri;
+ }
+
+ # app2 service
+ location /app3 {
+ resolver 10.1.1.8:5353;
+ resolver_timeout 5s;
+ client_max_body_size 0;
+ default_type text/html;
+ proxy_pass http://k8s.arcadia-finance.io:30587$request_uri;
+ }
+ }
+}
\ No newline at end of file
diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/nginx_owasp_top10.conf" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/nginx_owasp_top10.conf"
new file mode 100644
index 0000000000000000000000000000000000000000..d712ba7f8bde0fadb121541e1628dfaaf182dca9
--- /dev/null
+++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/nginx_owasp_top10.conf"
@@ -0,0 +1,83 @@
+user nginx;
+worker_processes auto;
+
+error_log /var/log/nginx/error.log notice;
+
+# load the app protect module
+load_module modules/ngx_http_app_protect_module.so;
+
+events {
+ worker_connections 1024;
+}
+
+http {
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+ sendfile on;
+ keepalive_timeout 65;
+
+ log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+ '$status $body_bytes_sent "$http_referer" '
+ '"$http_user_agent" "$http_x_forwarded_for"';
+
+ # note that in the dockerfile, the logs are redirected to stdout and can be viewed with `docker logs`
+ access_log /var/log/nginx/access.log main;
+
+ server {
+ listen 80;
+ server_name localhost;
+ proxy_http_version 1.1;
+ proxy_cache_bypass $http_upgrade;
+
+ proxy_set_header Host $host;
+
+ proxy_set_header X-Forwarded-Server $host;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_ignore_client_abort on;
+
+ app_protect_enable on;
+ app_protect_security_log_enable on;
+ app_protect_policy_file "/etc/nginx/policy_owasp_top10.json";
+ # send the logs to the logstash instance on our ELK stack.
+ app_protect_security_log "/etc/app_protect/conf/log_default.json" syslog:server=10.1.1.11:5144;
+
+ # main service
+ location / {
+ resolver 10.1.1.8:5353;
+ resolver_timeout 5s;
+ client_max_body_size 0;
+ default_type text/html;
+ proxy_pass http://k8s.arcadia-finance.io:30585$request_uri;
+ }
+
+ # backend service
+ location /files {
+ resolver 10.1.1.8:5353;
+ resolver_timeout 5s;
+ client_max_body_size 0;
+ default_type text/html;
+ proxy_pass http://k8s.arcadia-finance.io:30584$request_uri;
+ }
+
+ # app2 service
+ location /api {
+ resolver 10.1.1.8:5353;
+ resolver_timeout 5s;
+ client_max_body_size 0;
+ default_type text/html;
+ proxy_pass http://k8s.arcadia-finance.io:30586$request_uri;
+ }
+
+ # app2 service
+ location /app3 {
+ resolver 10.1.1.8:5353;
+ resolver_timeout 5s;
+ client_max_body_size 0;
+ default_type text/html;
+ proxy_pass http://k8s.arcadia-finance.io:30587$request_uri;
+ }
+ }
+}
\ No newline at end of file
diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/policy_owasp_top10.json" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/policy_owasp_top10.json"
new file mode 100644
index 0000000000000000000000000000000000000000..bcf8ec057c4a262ca010325d79a262d2caa2e11d
--- /dev/null
+++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-1-OWASP Top 10\351\230\262\346\212\244/policy_owasp_top10.json"
@@ -0,0 +1,86 @@
+{
+ "policy": {
+ "name": "Complete_OWASP_Top_Ten",
+ "description": "A generic, OWASP Top 10 protection items v1.0",
+ "template": {
+ "name": "POLICY_TEMPLATE_NGINX_BASE"
+ },
+ "enforcementMode":"blocking",
+ "signature-settings":{
+ "signatureStaging": false,
+ "minimumAccuracyForAutoAddedSignatures": "high"
+ },
+ "caseInsensitive": true,
+ "general": {
+ "trustXff": true
+ },
+ "data-guard": {
+ "enabled": true
+ },
+ "blocking-settings": {
+ "violations": [
+ {
+ "alarm": true,
+ "block": true,
+ "description": "Modified NAP cookie",
+ "name": "VIOL_ASM_COOKIE_MODIFIED"
+ },
+ {
+ "alarm": true,
+ "block": true,
+ "description": "XML data does not comply with format settings",
+ "name": "VIOL_XML_FORMAT"
+ },
+ {
+ "name": "VIOL_FILETYPE",
+ "alarm": true,
+ "block": true
+ }
+ ],
+ "evasions": [
+ {
+ "description": "Bad unescape",
+ "enabled": true
+ },
+ {
+ "description": "Apache whitespace",
+ "enabled": true
+ },
+ {
+ "description": "Bare byte decoding",
+ "enabled": true
+ },
+ {
+ "description": "IIS Unicode codepoints",
+ "enabled": true
+ },
+ {
+ "description": "IIS backslashes",
+ "enabled": true
+ },
+ {
+ "description": "%u decoding",
+ "enabled": true
+ },
+ {
+ "description": "Multiple decoding",
+ "enabled": true,
+ "maxDecodingPasses": 3
+ },
+ {
+ "description": "Directory traversals",
+ "enabled": true
+ }
+ ]
+ },
+ "xml-profiles": [
+ {
+ "name": "Default",
+ "defenseAttributes": {
+ "allowDTDs": false,
+ "allowExternalReferences": false
+ }
+ }
+ ]
+ }
+}
\ No newline at end of file
diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-2-API\345\256\211\345\205\250\351\230\262\346\212\244/.keep" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-2-API\345\256\211\345\205\250\351\230\262\346\212\244/.keep"
deleted file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..0000000000000000000000000000000000000000
diff --git "a/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-2-API\345\256\211\345\205\250\351\230\262\346\212\244/Arcadia API.postman_collection.json" "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-2-API\345\256\211\345\205\250\351\230\262\346\212\244/Arcadia API.postman_collection.json"
new file mode 100644
index 0000000000000000000000000000000000000000..b432770478f7245dfe8f4dd9631c227ff7b4a3a4
--- /dev/null
+++ "b/11 NGINX Web\344\270\216API\345\256\211\345\205\250/Lab-2-API\345\256\211\345\205\250\351\230\262\346\212\244/Arcadia API.postman_collection.json"
@@ -0,0 +1,213 @@
+{
+ "info": {
+ "_postman_id": "a3d3b734-6de2-45f7-9286-166d1a7afca5",
+ "name": "Arcadia API",
+ "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
+ },
+ "item": [
+ {
+ "name": "Last Transactions",
+ "request": {
+ "auth": {
+ "type": "noauth"
+ },
+ "method": "GET",
+ "header": [],
+ "url": {
+ "raw": "https://api.arcadia-finance.io/trading/transactions.php",
+ "protocol": "https",
+ "host": [
+ "api",
+ "arcadia-finance",
+ "io"
+ ],
+ "path": [
+ "trading",
+ "transactions.php"
+ ]
+ }
+ },
+ "response": []
+ },
+ {
+ "name": "POST Buy Stocks",
+ "request": {
+ "auth": {
+ "type": "noauth"
+ },
+ "method": "POST",
+ "header": [
+ {
+ "key": "Content-Type",
+ "value": "application/json",
+ "type": "text"
+ }
+ ],
+ "body": {
+ "mode": "raw",
+ "raw": "{\r\n\t\"trans_value\":12,\r\n\t\"qty\":16,\r\n\t\"company\":\"MSFT\",\r\n\t\"action\":\"buy\",\r\n\t\"stock_price\":198\r\n}"
+ },
+ "url": {
+ "raw": "http://app-protect-centos.arcadia-finance.io/trading/rest/buy_stocks.php",
+ "protocol": "http",
+ "host": [
+ "app-protect-centos",
+ "arcadia-finance",
+ "io"
+ ],
+ "path": [
+ "trading",
+ "rest",
+ "buy_stocks.php"
+ ]
+ }
+ },
+ "response": []
+ },
+ {
+ "name": "POST Sell Stocks",
+ "request": {
+ "auth": {
+ "type": "noauth"
+ },
+ "method": "POST",
+ "header": [
+ {
+ "key": "Content-Type",
+ "value": "application/json",
+ "type": "text"
+ }
+ ],
+ "body": {
+ "mode": "raw",
+ "raw": "{\r\n\t\"trans_value\":212,\r\n\t\"qty\":16,\r\n\t\"company\":\"MSFT\",\r\n\t\"action\":\"sell\",\r\n\t\"stock_price\":158\r\n}"
+ },
+ "url": {
+ "raw": "http://app-protect-centos.arcadia-finance.io/trading/rest/sell_stocks.php",
+ "protocol": "http",
+ "host": [
+ "app-protect-centos",
+ "arcadia-finance",
+ "io"
+ ],
+ "path": [
+ "trading",
+ "rest",
+ "sell_stocks.php"
+ ]
+ }
+ },
+ "response": []
+ },
+ {
+ "name": "POST Transfert Money",
+ "request": {
+ "auth": {
+ "type": "noauth"
+ },
+ "method": "POST",
+ "header": [
+ {
+ "key": "Content-Type",
+ "value": "application/json",
+ "type": "text"
+ }
+ ],
+ "body": {
+ "mode": "raw",
+ "raw": "{\r\n \"amount\":92,\r\n \"account\":2075894,\r\n \"currency\":\"GBP\",\r\n \"friend\":\"Vincent\"\r\n}",
+ "options": {
+ "raw": {
+ "language": "javascript"
+ }
+ }
+ },
+ "url": {
+ "raw": "http://app-protect-centos.arcadia-finance.io/api/rest/execute_money_transfer.php",
+ "protocol": "http",
+ "host": [
+ "app-protect-centos",
+ "arcadia-finance",
+ "io"
+ ],
+ "path": [
+ "api",
+ "rest",
+ "execute_money_transfer.php"
+ ]
+ }
+ },
+ "response": []
+ },
+ {
+ "name": "POST Buy Stocks XSS attack",
+ "request": {
+ "auth": {
+ "type": "noauth"
+ },
+ "method": "POST",
+ "header": [
+ {
+ "key": "Content-Type",
+ "value": "application/json",
+ "type": "text"
+ }
+ ],
+ "body": {
+ "mode": "raw",
+ "raw": "{\r\n\t\"trans_value\":66,\r\n\t\"qty\":4,\r\n\t\"company\":\"MSFT\",\r\n\t\"action\":\"test\",\r\n\t\"stock_price\":198\r\n}"
+ },
+ "url": {
+ "raw": "http://app-protect-centos.arcadia-finance.io/trading/rest/buy_stocks.php",
+ "protocol": "http",
+ "host": [
+ "app-protect-centos",
+ "arcadia-finance",
+ "io"
+ ],
+ "path": [
+ "trading",
+ "rest",
+ "buy_stocks.php"
+ ]
+ }
+ },
+ "response": []
+ },
+ {
+ "name": "POST Transfert Money Attack",
+ "request": {
+ "auth": {
+ "type": "noauth"
+ },
+ "method": "POST",
+ "header": [
+ {
+ "key": "Content-Type",
+ "value": "application/json",
+ "type": "text"
+ }
+ ],
+ "body": {
+ "mode": "raw",
+ "raw": "{\r\n \"amount\":\"12\",\r\n \"account\":\""",\r\n ""stock_price"":198\r\n}",
+transport_protocol="HTTP/1.1"
+
+```
+---
+
+6. POST发送Transfer Money的API call的同时增加攻击
+
+
+
+检查API请求被阻断的日志:
+
+```json
+
+attack_type="Non-browser Client,Abuse of Functionality,Cross Site Scripting (XSS)",
+blocking_exception_reason="N/A",
+date_time="2021-10-10 13:23:00",
+dest_port="80",
+ip_client="10.1.1.13",
+is_truncated="false",
+method="POST",
+policy_name="app_protect_api_security_policy",
+protocol="HTTP",
+request_status="blocked",
+response_code="0",
+severity="Critical",
+sig_cves="N/A",
+sig_ids="200001475,200000098",
+sig_names="XSS script tag end (Parameter) (2),XSS script tag (Parameter)",
+sig_set_names="{Cross Site Scripting Signatures;High Accuracy Signatures},{Cross Site Scripting Signatures;High Accuracy Signatures}",
+src_port="56874",
+sub_violations="N/A",
+support_id="609722702720363809",
+threat_campaign_names="N/A",
+unit_hostname="c68206ac-6bd7-49d0-ad95-d7b1ccb15787",
+uri="/api/rest/execute_money_transfer.php",
+violation_rating="5",
+vs_name="25-localhost:1-/",
+x_forwarded_for_header_value="N/A",
+outcome="REJECTED",
+outcome_reason="SECURITY_WAF_VIOLATION",
+violations="Illegal meta character in value,Attack signature detected,JSON data does not comply with JSON schema,Violation Rating Threat detected,Bot Client Detected",
+violation_details="100010cabd0c42-3a03f31c30000076477f0ffcbbd0fea-befbf35cb000007e0-200-042VIOL_ATTACK_SIGNATUREURL0JSON210json_POST_~api~rest~execute_money_transfer.phpPHNjcmlwdD4=element value2000014753PHNjcmlwdD4=172000000983PHNjcmlwdD4=0724VIOL_PARAMETER_VALUE_METACHARURL0JSON210json_POST_~api~rest~execute_money_transfer.phpelement valuevaluePHNjcmlwdD4=60valuePHNjcmlwdD4=6281VIOL_JSON_SCHEMAURL0JSON210json_POST_~api~rest~execute_money_transfer.phpelement value$.amountType Violationstringinteger$.accountType Violationstringinteger",
+bot_signature_name="Postman",
+bot_category="HTTP Library",
+bot_anomalies="N/A",
+enforced_bot_anomalies="N/A",
+client_class="Untrusted Bot",
+client_application="N/A",
+client_application_version="N/A",
+request="POST /api/rest/execute_money_transfer.php HTTP/1.1\r\nContent-Type: application/json\r\nUser-Agent: PostmanRuntime/7.28.4\r\nAccept: */*\r\nPostman-Token: 31b0c3db-1dd2-4872-a7da-8874037ad7ec\r\nHost: app-protect-centos.arcadia-finance.io\r\nAccept-Encoding: gzip, deflate, br\r\nConnection: keep-alive\r\nContent-Length: 95\r\n\r\n{\r\n ""amount"":""12"",\r\n ""account"":""