Lab 2: API Inventory

Scenario

There was an update to the Customer Lookup controller, a new endpoint “getbyheroname” was added, allowing the lookup of a customer’s secret identity. However, this endpoint was not intended for release and was not approved for production.

We need to ensure that unapproved endpoints cannot be consumed, both now and in the future.

Expected Lab Time: 15 minutes

Note

This lab uses a pre-built shared API Definition. Refer to Lab 2 Advanced for additional steps on how to download and upload a swagger file, as well as create a API Definition using the newly created OpenAPI file.

Task 1: Simulate Allowed Access to a Shadow API

  1. Using another browser tab, navigate to the the following URL.

    http://<your-namespace>.lab-sec.f5demos.com/swagger
    ../_images/shared-swagger-intro1.png

  2. In the Demo Bank API app, navigate to the /api/customerlookup/getbyheroname endpoint, expand it, and click Try it out.

    ../_images/lab2-swagger-try1.png

    Note

    The ‘getbyheroname’ is a shadow API endpoint that is not approved for use. A shadow API refers to an undocumented or unintended API endpoint that exists alongside officially supported APIs, often posing security and/or operational risks due to lack of visibility or management.

  3. Enter Iron Man in the heroname field.. Click Execute.

    ../_images/lab2-swagger-execute1.png

  4. Review the response body. It returns the customer information.

    ../_images/lab2-swagger-response1.png

    Note

    In the next steps, we will address this issue by blocking access to the shadow API endpoints.

Task 2: API Definition

In this task’s series of steps you will create a API Definition using a shared OpenAPI object.

  1. In the left-hand navigation of the Web App & API Protection service under Manage, mouse over API Security and click on API Definition from the slide out.

    ../_images/lab2-def-apidef1.png

  2. In the resulting API Definition window, click Add API Definition in the main window area as shown.

    ../_images/lab2-def-add1.png

  3. In the resulting New API Definition window, input demobank-api-def for the Name under the Metadata section.

  4. In the OpenAPI Specification Files section, click Add Item.

    ../_images/lab2-def-additem1.png

  5. Select a Shared OpenAPI file. It will be in the format shared/api-lab-swagger/v1-25-01-31.

    ../_images/lab2-def-select-shared1.png

  6. Once selected, click Save and Exit in the bottom-right corner.

    ../_images/lab2-def-save-shared1.png

Task 3: Enabling API Inventory

In this task’s series of steps you will enable the API Inventory and Discovery feature on the previously built HTTP Load Balancer.

  1. In the left-hand navigation of the Web App & API Protection service, click on Load Balancers > HTTP Load Balancers under the Manage section.

  2. In the resulting Load Balancers window, click on the three dots in the Action column, and the select Manage Configuration.

    ../_images/shared-1031.png

  3. Click Edit Configuration in the top-right corner.

    ../_images/shared-1041.png

  4. Click API Protection in the left-hand navigation.

  5. In the API Protection section, click the drop-down arrow next to API Definition and select Enable.

    ../_images/lab2-lb-def-enable1.png

  6. In the second API Definition section, click the drop-down arrow and select the pre-created API Definition <your-namespace>/demobank-api-def.

    ../_images/lab2-lb-def-select1.png

  7. Under Validation, select API Inventory from drop-down then click on View Configuration

    ../_images/lab2-lb-def-validation1.png ../_images/lab2-lb-def-validation-config1.png

  8. Within API Inventory validation, under Fall Through Mode update the drop-down to Custom.

    ../_images/lab2-lb-def-validation-fall-through1.png

  9. Within Custom Fall Through Rule List , click on Configure.

    ../_images/lab2-lb-def-validation-fall-through-config1.png

  10. In the Custom Fall Through Rule List section, click on Add item.

    ../_images/lab2-lb-def-fall-through-add1.png

  11. Update the fields with the below detail, click on Apply.

    • Name: fall-through

    • Action: Block

    • Type: Base Path

    • Base Path: /api

    ../_images/lab2-lb-def-fall-through-apply1.png

  12. Review the Custom Fall Through Rule List, click Apply.

    ../_images/lab2-lb-def-fall-through-review1.png

  13. Review the API Inventory validation, click Apply.

    ../_images/lab2-lb-def-validation-apply1.png

  14. Select Save HTTP Load Balancer at the bottom right of window.

    ../_images/shared-lb-save1.png

Task 4: Simulate Blocked Access to a Shadow API

  1. Using another browser tab, navigate to the the following URL.

    http://<your-namespace>.lab-sec.f5demos.com/swagger
    ../_images/shared-swagger-intro1.png

  2. In the Demo Bank API app, navigate to the /api/customerlookup/getbyheroname endpoint, expand it, and click Try it out.

    ../_images/lab2-swagger-try1.png

  3. Enter Iron Man in the heroname field.. Click Execute.

    Note

    Press Execute a couple extra times to create more events which will be reviewed in a later lab.

    ../_images/lab2-swagger-execute1.png

  4. Review the response body.

    ../_images/lab2-swagger-response-4031.png

    Note

    You should now be blocked from accessing the ‘getbyheroname’ API endpoint, as it is a shadow API, an undocumented and unapproved endpoint.

End of Lab

../_images/labend10.png