{"id":13428233,"url":"https://github.com/roottusk/vapi","last_synced_at":"2025-05-14T15:10:27.395Z","repository":{"id":40502457,"uuid":"293301937","full_name":"roottusk/vapi","owner":"roottusk","description":"vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.","archived":false,"fork":false,"pushed_at":"2025-01-10T02:48:25.000Z","size":24965,"stargazers_count":1221,"open_issues_count":10,"forks_count":316,"subscribers_count":20,"default_branch":"master","last_synced_at":"2025-04-13T16:50:24.987Z","etag":null,"topics":["api","apitop10","appsec","appsec-tutorials","bugbounty","cors","docker","exercises","hacktoberfest","hacktoberfest-accepted","owasp","owasp-top-10","owasp-top-ten","php","postman","vulnerable-application"],"latest_commit_sha":null,"homepage":"","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/roottusk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":null,"patreon":"roottusk","open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"lfx_crowdfunding":null,"custom":["https://www.buymeacoffee.com/roottusk"]}},"created_at":"2020-09-06T15:10:46.000Z","updated_at":"2025-04-09T10:20:40.000Z","dependencies_parsed_at":"2022-07-13T15:29:19.734Z","dependency_job_id":"e6c1f1fb-20f9-45d2-a8f8-3ce89e04b3b4","html_url":"https://github.com/roottusk/vapi","commit_stats":{"total_commits":110,"total_committers":10,"mean_commits":11.0,"dds":"0.18181818181818177","last_synced_commit":"b44e0f1a6727b46d490c85efffbd510f6b18efb5"},"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/roottusk%2Fvapi","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/roottusk%2Fvapi/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/roottusk%2Fvapi/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/roottusk%2Fvapi/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/roottusk","download_url":"https://codeload.github.com/roottusk/vapi/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254170054,"owners_count":22026219,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api","apitop10","appsec","appsec-tutorials","bugbounty","cors","docker","exercises","hacktoberfest","hacktoberfest-accepted","owasp","owasp-top-10","owasp-top-ten","php","postman","vulnerable-application"],"created_at":"2024-07-31T01:00:49.965Z","updated_at":"2025-05-14T15:10:27.331Z","avatar_url":"https://github.com/roottusk.png","language":"HTML","readme":"# vAPI [![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Check%20out%20vAPI%20on%20Github!\u0026url=https://github.com/roottusk/vapi\u0026via=vk_tushar\u0026hashtags=apisecurity,apitop10,owasp)\n\n[![Docker](https://img.shields.io/badge/docker-support-%2300D1D1)](https://github.com/roottusk/vapi#installation-docker) \n[![Build Status](https://app.travis-ci.com/roottusk/vapi.svg?branch=master)](https://app.travis-ci.com/roottusk/vapi)\n[![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blueviolet.svg)](https://www.gnu.org/licenses/gpl-3.0)\n[![Version](https://img.shields.io/badge/version-v1.3-blue)](https://github.com/roottusk/vapi) \n[![PHP](https://img.shields.io/badge/php-7.3^-yellow)](https://github.com/roottusk/vapi)\n[![Laravel](https://img.shields.io/badge/Laravel-8-orange)](https://github.com/roottusk/vapi)\n[![Issues](https://img.shields.io/github/issues-closed/roottusk/vapi?color=%23eb3434)](https://github.com/roottusk/vapi/issues)\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"vapi_logo.png\" \u003e\n\u003c/p\u003e\n\nvAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios in the means of Exercises. \n\n\n# Requirements\n\n* PHP\n* MySQL\n* PostMan\n* MITM Proxy\n\n# Installation (Docker)\n\n```bash\ndocker-compose up -d\n```\n\n# Installation (Manual)\n\n## Copying the Code\n\n```bash\ncd \u003cyour-hosting-directory\u003e\n```\n\n```bash\ngit clone https://github.com/roottusk/vapi.git\n```\n\n## Setting up the Database\n\nImport `vapi.sql` into MySQL Database\n\nConfigure the DB Credentials in the `vapi/.env`\n\n\n## Starting MySQL service\n\nRun following command (Linux)\n\n```bash\nservice mysqld start\n```\n\n## Starting Laravel Server\n\nGo to `vapi` directory and Run \n\n```bash\nphp artisan serve\n```\n\n## Setting Up Postman\n\n- Import `vAPI.postman_collection.json` in Postman\n- Import `vAPI_ENV.postman_environment.json` in Postman\n\nOR\n\nUse Public Workspace \n\nhttps://www.postman.com/roottusk/workspace/vapi/\n\n# Usage\n\nBrowse `http://localhost/vapi/` for Documentation\n\nAfter Sending requests, refer to the Postman Tests or Environment for Generated Tokens\n\n# Deployment\n\n[Helm](https://helm.sh/) can be used to deploy to a Kubernetes namespace. The chart is in the `vapi-chart` folder. The chart requires one secret named `vapi` with the following values:\n\n```\nDB_PASSWORD: \u003cdatabase password to use\u003e\nDB_USERNAME: \u003cdatabase username to use\u003e\n```\n\nSample Helm Install Command: `helm upgrade --install vapi ./vapi-chart --values=./vapi-chart/values.yaml`\n\n*** Important *** \n\nThe MYSQL_ROOT_PASSWORD on line 232 in the `values.yaml` must match that on line 184 in order to work. \n\n# Presented At\n[OWASP 20th Anniversary](https://owasp20thanniversaryevent20.sched.com/event/ll1k)\n\n[Blackhat Europe 2021 Arsenal](https://www.youtube.com/watch?v=7_Q5Rlm7Too)\n\n[HITB Cyberweek 2021, Abu Dhabi, UAE](https://cyberweek.ae/2021/hitb-armory/)\n\n[@Hack, Riyadh, KSA](https://athack.com/speakers?keys=Tushar)\n\n\n# Upcoming\n\n[APISecure.co](https://apisecure.co/)\n\n# Mentions and References\n[1] https://apisecurity.io/issue-132-experian-api-leak-breaches-digitalocean-geico-burp-plugins-vapi-lab/\n\n[2] https://dsopas.github.io/MindAPI/references/\n\n[3] https://dzone.com/articles/api-security-weekly-issue-132\n\n[4] https://owasp.org/www-project-vulnerable-web-applications-directory/\n\n[5] https://github.com/arainho/awesome-api-security\n\n[6] https://portswigger.net/daily-swig/introducing-vapi-an-open-source-lab-environment-to-learn-about-api-security\n\n[7] https://apisecurity.io/issue-169-insecure-api-wordpress-plugin-tesla-3rd-party-vulnerability-introducing-vapi/\n\n# Walkthroughs/Writeups/Videos\n\n[1] https://cyc0rpion.medium.com/exploiting-owasp-top-10-api-vulnerabilities-fb9d4b1dd471 (vAPI 1.0 Writeup)\n\n[2] https://www.youtube.com/watch?v=0F5opL_c5-4\u0026list=PLT1Gj1RmR7vqHK60qS5bpNUeivz4yhmbS (Turkish Language) (vAPI 1.1 Walkthrough)\n\n[3] https://medium.com/@jyotiagarwal3190/roottusk-vapi-writeup-341ec99879c (vAPI 1.1 Writeup)\n\n# Acknowledgements\n\n* The icon and banner uses image from [Flaticon](https://www.flaticon.com/free-icon/bug_190835)\n\n","funding_links":["https://patreon.com/roottusk","https://www.buymeacoffee.com/roottusk"],"categories":["Training, Walkthrough, Labs","Deliberately vulnerable APIs","🔐 Vulnerable APIs","Vulnerable APIs:","Secure Programming","HTML"],"sub_categories":["iOS","Secure Web dev"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Froottusk%2Fvapi","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Froottusk%2Fvapi","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Froottusk%2Fvapi/lists"}