Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/erev0s/VAmPI
Vulnerable REST API with OWASP top 10 vulnerabilities for security testing
https://github.com/erev0s/VAmPI
api api-rest security-tools vulnerable-web-app
Last synced: about 2 months ago
JSON representation
Vulnerable REST API with OWASP top 10 vulnerabilities for security testing
- Host: GitHub
- URL: https://github.com/erev0s/VAmPI
- Owner: erev0s
- License: mit
- Created: 2020-10-04T18:03:24.000Z (about 4 years ago)
- Default Branch: master
- Last Pushed: 2024-04-27T10:05:24.000Z (8 months ago)
- Last Synced: 2024-04-27T11:29:47.957Z (8 months ago)
- Topics: api, api-rest, security-tools, vulnerable-web-app
- Language: Python
- Homepage:
- Size: 44.9 KB
- Stars: 803
- Watchers: 10
- Forks: 282
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-api-security-essentials - GitHub - site Scripting (XSS), Cross-site Request Forgery (CSRF), Insecure Direct Object Reference (IDOR) | [erev0s](https://github.com/erev0s) | Yes | (🔐 Vulnerable APIs)
- awesome-sites-to-test-on - VAmPI The Vulnerable API (Based on OpenAPI 3)
- awesome-vulnerable-apps - VAmPI - Vulnerable REST API with OWASP top 10 vulnerabilities for security testing (OWASP Top 10)
- awesome-tools - VAmPI - Vulnerable REST API with OWASP top 10 vulnerabilities for security testing (Uncategorized / Uncategorized)
- awesome-api-security - VAmPI
- StarryDivineSky - erev0s/VAmPI
README
# VAmPI
**The Vulnerable API** *(Based on OpenAPI 3)*
![vampi](https://i.imgur.com/zR0quKf.jpg)[![Docker Image CI](https://github.com/erev0s/VAmPI/actions/workflows/docker-image.yml/badge.svg)](https://github.com/erev0s/VAmPI/actions/workflows/docker-image.yml) ![Docker Pulls](https://img.shields.io/docker/pulls/erev0s/vampi)
VAmPI is a vulnerable API made with Flask and it includes vulnerabilities from the OWASP top 10 vulnerabilities for APIs. It was created as I wanted a vulnerable API to evaluate the efficiency of tools used to detect security issues in APIs. It includes a switch on/off to allow the API to be vulnerable or not while testing. This allows to cover better the cases for false positives/negatives. VAmPI can also be used for learning/teaching purposes. You can find a bit more details about the vulnerabilities in [erev0s.com](https://erev0s.com/blog/vampi-vulnerable-api-security-testing/).
#### Features
- Based on OWASP Top 10 vulnerabilities for APIs.
- OpenAPI3 specs and Postman Collection included.
- Global switch on/off to have a vulnerable environment or not.
- Token-Based Authentication (Adjust lifetime from within app.py)
- Available Swagger UI to directly interact with the APIVAmPI's flow of actions is going like this: an unregistered user can see minimal information about the dummy users included in the API. A user can register and then login to be allowed using the token received during login to post a book. For a book posted the data accepted are the title and a secret about that book. Each book is unique for every user and only the owner of the book should be allowed to view the secret.
A quick rundown of the actions included can be seen in the following table:
| **Action** | **Path** | **Details** |
|:----------:|:-----------------------------:|:--------------------------------------------------:|
| GET | /createdb | Creates and populates the database with dummy data |
| GET | / | VAmPI home |
| GET | /users/v1 | Displays all users with basic information |
| GET | /users/v1/_debug | Displays all details for all users |
| POST | /users/v1/register | Register new user |
| POST | /users/v1/login | Login to VAmPI |
| GET | /users/v1/{username} | Displays user by username |
| DELETE | /users/v1/{username} | Deletes user by username (Only Admins) |
| PUT | /users/v1/{username}/email | Update a single users email |
| PUT | /users/v1/{username}/password | Update users password |
| GET | /books/v1 | Retrieves all books |
| POST | /books/v1 | Add new book |
| GET | /books/v1/{book} | Retrieves book by title along with secret |For more details you can either run VAmPI and visit `http://127.0.0.1:5000/ui/` or use a service like the [swagger editor](https://editor.swagger.io) supplying the OpenAPI specification which can be found in the directory `openapi_specs`.
#### List of Vulnerabilities
- SQLi Injection
- Unauthorized Password Change
- Broken Object Level Authorization
- Mass Assignment
- Excessive Data Exposure through debug endpoint
- User and Password Enumeration
- RegexDOS (Denial of Service)
- Lack of Resources & Rate Limiting
- JWT authentication bypass via weak signing key## Run it
It is a Flask application so in order to run it you can install all requirements and then run the `app.py`.
To install all requirements simply run `pip3 install -r requirements.txt` and then `python3 app.py`.Or if you prefer you can also run it through docker or docker compose.
#### Run it through Docker
- Available in [Dockerhub](https://hub.docker.com/r/erev0s/vampi)
~~~~
docker run -p 5000:5000 erev0s/vampi:latest
~~~~[Note: if you run Docker on newer versions of the MacOS, use `-p 5001:5000` to avoid conflicting with the AirPlay Receiver service. Alternatively, you could disable the AirPlay Receiver service in your System Preferences -> Sharing settings.]
#### Run it through Docker Compose
`docker-compose` contains two instances, one instance with the secure configuration on port 5001 and another with insecure on port 5002:
~~~~
docker-compose up -d
~~~~## Available Swagger UI :rocket:
Visit the path `/ui` where you are running the API and a Swagger UI will be available to help you get started!
~~~~
http://127.0.0.1:5000/ui/
~~~~## Customizing token timeout and vulnerable environment or not
If you would like to alter the timeout of the token created after login or if you want to change the environment **not** to be vulnerable then you can use a few ways depending how you run the application.- If you run it like normal with `python3 app.py` then all you have to do is edit the `alive` and `vuln` variables defined in the `app.py` itself. The `alive` variable is measured in seconds, so if you put `100`, then the token expires after 100 seconds. The `vuln` variable is like boolean, if you set it to `1` then the application is vulnerable, and if you set it to `0` the application is not vulnerable.
- If you run it through Docker, then you must either pass environment variables to the `docker run` command or edit the `Dockerfile` and rebuild.
- Docker run example: `docker run -d -e vulnerable=0 -e tokentimetolive=300 -p 5000:5000 erev0s/vampi:latest`
- One nice feature to running it this way is you can startup a 2nd container with `vulnerable=1` on a different port and flip easily between the two.- In the Dockerfile you will find two environment variables being set, the `ENV vulnerable=1` and the `ENV tokentimetolive=60`. Feel free to change it before running the docker build command.
[Picture from freepik - www.freepik.com](https://www.freepik.com/vectors/party)