{"id":13428229,"url":"https://github.com/erev0s/VAmPI","last_synced_at":"2025-03-16T01:32:02.406Z","repository":{"id":37239565,"uuid":"301193365","full_name":"erev0s/VAmPI","owner":"erev0s","description":"Vulnerable REST API with OWASP top 10 vulnerabilities for security testing","archived":false,"fork":false,"pushed_at":"2024-11-25T13:00:36.000Z","size":68,"stargazers_count":966,"open_issues_count":1,"forks_count":393,"subscribers_count":13,"default_branch":"master","last_synced_at":"2025-03-07T18:05:13.587Z","etag":null,"topics":["api","api-rest","security-tools","vulnerable-web-app"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/erev0s.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"erev0s"}},"created_at":"2020-10-04T18:03:24.000Z","updated_at":"2025-03-03T18:54:22.000Z","dependencies_parsed_at":"2025-01-12T11:02:08.120Z","dependency_job_id":"95345926-fbcc-4795-9d38-c9fd2f00f5fd","html_url":"https://github.com/erev0s/VAmPI","commit_stats":{"total_commits":44,"total_committers":8,"mean_commits":5.5,"dds":0.5681818181818181,"last_synced_commit":"d42800d01aa11c4242d913a644f337ac960e6e34"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/erev0s%2FVAmPI","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/erev0s%2FVAmPI/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/erev0s%2FVAmPI/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/erev0s%2FVAmPI/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/erev0s","download_url":"https://codeload.github.com/erev0s/VAmPI/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243814900,"owners_count":20352037,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api","api-rest","security-tools","vulnerable-web-app"],"created_at":"2024-07-31T01:00:49.812Z","updated_at":"2025-03-16T01:32:02.400Z","avatar_url":"https://github.com/erev0s.png","language":"Python","funding_links":["https://github.com/sponsors/erev0s"],"categories":["Deliberately vulnerable APIs","Security Testing","OWASP Top 10","Uncategorized","其他_安全与渗透","🔐 Vulnerable APIs","Vulnerable APIs:","API","Learning Platforms \u0026 Labs"],"sub_categories":["Uncategorized","网络服务_其他","iOS","Self-hostable"],"readme":"# VAmPI\n**The Vulnerable API** *(Based on OpenAPI 3)*\n![vampi](https://i.imgur.com/zR0quKf.jpg)\n\n[![Docker Image CI](https://github.com/erev0s/VAmPI/actions/workflows/docker-image.yml/badge.svg)](https://github.com/erev0s/VAmPI/actions/workflows/docker-image.yml) ![Docker Pulls](https://img.shields.io/docker/pulls/erev0s/vampi)\n\n\nVAmPI is a vulnerable API made with Flask and it includes vulnerabilities from the OWASP top 10 vulnerabilities for APIs. It was created as I wanted a vulnerable API to evaluate the efficiency of tools used to detect security issues in APIs. It includes a switch on/off to allow the API to be vulnerable or not while testing. This allows to cover better the cases for false positives/negatives. VAmPI can also be used for learning/teaching purposes. You can find a bit more details about the vulnerabilities in [erev0s.com](https://erev0s.com/blog/vampi-vulnerable-api-security-testing/).\n\n\n#### Features\n - Based on OWASP Top 10 vulnerabilities for APIs.\n - OpenAPI3 specs and Postman Collection included.\n - Global switch on/off to have a vulnerable environment or not.\n - Token-Based Authentication (Adjust lifetime from within app.py)\n - Available Swagger UI to directly interact with the API\n\nVAmPI's flow of actions is going like this: an unregistered user can see minimal information about the dummy users included in the API. A user can register and then login to be allowed using the token received during login to post a book. For a book posted the data accepted are the title and a secret about that book. Each book is unique for every user and only the owner of the book should be allowed to view the secret.\n\nA quick rundown of the actions included can be seen in the following table:\n\n| **Action** | **Path** | **Details** |\n|:----------:|:-----------------------------:|:--------------------------------------------------:|\n| GET | /createdb | Creates and populates the database with dummy data |\n| GET | / | VAmPI home |\n| GET | /me | Displays the user that is logged in |\n| GET | /users/v1 | Displays all users with basic information |\n| GET | /users/v1/_debug | Displays all details for all users |\n| POST | /users/v1/register | Register new user |\n| POST | /users/v1/login | Login to VAmPI |\n| GET | /users/v1/{username} | Displays user by username |\n| DELETE | /users/v1/{username} | Deletes user by username (Only Admins) |\n| PUT | /users/v1/{username}/email | Update a single users email |\n| PUT | /users/v1/{username}/password | Update users password |\n| GET | /books/v1 | Retrieves all books |\n| POST | /books/v1 | Add new book |\n| GET | /books/v1/{book} | Retrieves book by title along with secret |\n\nFor more details you can either run VAmPI and visit `http://127.0.0.1:5000/ui/` or use a service like the [swagger editor](https://editor.swagger.io) supplying the OpenAPI specification which can be found in the directory `openapi_specs`.\n\n\n#### List of Vulnerabilities\n - SQLi Injection\n - Unauthorized Password Change\n - Broken Object Level Authorization\n - Mass Assignment\n - Excessive Data Exposure through debug endpoint\n - User and Password Enumeration\n - RegexDOS (Denial of Service)\n - Lack of Resources \u0026 Rate Limiting\n - JWT authentication bypass via weak signing key\n\n\n\n ## Run it\nIt is a Flask application so in order to run it you can install all requirements and then run the `app.py`.\nTo install all requirements simply run `pip3 install -r requirements.txt` and then `python3 app.py`.\n\nOr if you prefer you can also run it through docker or docker compose.\n\n #### Run it through Docker\n\n - Available in [Dockerhub](https://hub.docker.com/r/erev0s/vampi)\n~~~~\ndocker run -p 5000:5000 erev0s/vampi:latest\n~~~~\n\n[Note: if you run Docker on newer versions of the MacOS, use `-p 5001:5000` to avoid conflicting with the AirPlay Receiver service. Alternatively, you could disable the AirPlay Receiver service in your System Preferences -\u003e Sharing settings.]\n\n #### Run it through Docker Compose\n`docker-compose` contains two instances, one instance with the secure configuration on port 5001 and another with insecure on port 5002:\n~~~~\ndocker-compose up -d\n~~~~\n\n## Available Swagger UI :rocket:\nVisit the path `/ui` where you are running the API and a Swagger UI will be available to help you get started!\n~~~~\nhttp://127.0.0.1:5000/ui/\n~~~~\n\n## Customizing token timeout and vulnerable environment or not\nIf you would like to alter the timeout of the token created after login or if you want to change the environment **not** to be vulnerable then you can use a few ways depending how you run the application.\n\n - If you run it like normal with `python3 app.py` then all you have to do is edit the `alive` and `vuln` variables defined in the `app.py` itself. The `alive` variable is measured in seconds, so if you put `100`, then the token expires after 100 seconds. The `vuln` variable is like boolean, if you set it to `1` then the application is vulnerable, and if you set it to `0` the application is not vulnerable.\n - If you run it through Docker, then you must either pass environment variables to the `docker run` command or edit the `Dockerfile` and rebuild. \n - Docker run example: `docker run -d -e vulnerable=0 -e tokentimetolive=300 -p 5000:5000 erev0s/vampi:latest`\n - One nice feature to running it this way is you can startup a 2nd container with `vulnerable=1` on a different port and flip easily between the two.\n\n - In the Dockerfile you will find two environment variables being set, the `ENV vulnerable=1` and the `ENV tokentimetolive=60`. Feel free to change it before running the docker build command.\n\n\n## Frequently asked questions\n - **There is a database error upon reaching endpoints!**\n - Make sure to issue a request towards the endpoint `/createdb` in order to populate the database.\n\n [Picture from freepik - www.freepik.com](https://www.freepik.com/vectors/party)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ferev0s%2FVAmPI","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ferev0s%2FVAmPI","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ferev0s%2FVAmPI/lists"}