Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/roottusk/vapi

vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.
https://github.com/roottusk/vapi

api apitop10 appsec appsec-tutorials bugbounty cors docker exercises hacktoberfest hacktoberfest-accepted owasp owasp-top-10 owasp-top-ten php postman vulnerable-application

Last synced: 6 days ago
JSON representation

vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.

Host: GitHub
URL: https://github.com/roottusk/vapi
Owner: roottusk
License: gpl-3.0
Created: 2020-09-06T15:10:46.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2023-08-11T22:44:16.000Z (over 1 year ago)
Last Synced: 2024-11-21T20:03:01.953Z (22 days ago)
Topics: api, apitop10, appsec, appsec-tutorials, bugbounty, cors, docker, exercises, hacktoberfest, hacktoberfest-accepted, owasp, owasp-top-10, owasp-top-ten, php, postman, vulnerable-application
Language: HTML
Homepage:
Size: 23.9 MB
Stars: 1,178
Watchers: 19
Forks: 307
Open Issues: 8
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- Funding: .github/FUNDING.yml
- License: LICENSE

Awesome Lists containing this project

awesome-api-security-essentials - GitHub
awesome-api-security - vAPI - Hostable API that mimics OWASP API Top 10 scenarios through Exercises. | (Deliberately vulnerable APIs)
awesome-hacking-lists - roottusk/vapi - vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises. (HTML)

README

        # vAPI [![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Check%20out%20vAPI%20on%20Github!&url=https://github.com/roottusk/vapi&via=vk_tushar&hashtags=apisecurity,apitop10,owasp)

[![Docker](https://img.shields.io/badge/docker-support-%2300D1D1)](https://github.com/roottusk/vapi#installation-docker) 

[![Build Status](https://app.travis-ci.com/roottusk/vapi.svg?branch=master)](https://app.travis-ci.com/roottusk/vapi)

[![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blueviolet.svg)](https://www.gnu.org/licenses/gpl-3.0)

[![Version](https://img.shields.io/badge/version-v1.3-blue)](https://github.com/roottusk/vapi) 

[![PHP](https://img.shields.io/badge/php-7.3^-yellow)](https://github.com/roottusk/vapi)

[![Laravel](https://img.shields.io/badge/Laravel-8-orange)](https://github.com/roottusk/vapi)

[![Issues](https://img.shields.io/github/issues-closed/roottusk/vapi?color=%23eb3434)](https://github.com/roottusk/vapi/issues)







vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios in the means of Exercises. 

# Requirements

* PHP

* MySQL

* PostMan

* MITM Proxy

# Installation (Docker)

```bash

docker-compose up -d

```

# Installation (Manual)

## Copying the Code

```bash

cd 

```

```bash

git clone https://github.com/roottusk/vapi.git

```

## Setting up the Database

Import `vapi.sql` into MySQL Database

Configure the DB Credentials in the `vapi/.env`

## Starting MySQL service

Run following command (Linux)

```bash

service mysqld start

```

## Starting Laravel Server

Go to `vapi` directory and Run 

```bash

php artisan serve

```

## Setting Up Postman

- Import `vAPI.postman_collection.json` in Postman

- Import `vAPI_ENV.postman_environment.json` in Postman

OR

Use Public Workspace 

https://www.postman.com/roottusk/workspace/vapi/

# Usage

Browse `http://localhost/vapi/` for Documentation

After Sending requests, refer to the Postman Tests or Environment for Generated Tokens

# Deployment

[Helm](https://helm.sh/) can be used to deploy to a Kubernetes namespace. The chart is in the `vapi-chart` folder. The chart requires one secret named `vapi` with the following values:

```

DB_PASSWORD: 

DB_USERNAME: 

```

Sample Helm Install Command: `helm upgrade --install vapi ./vapi-chart --values=./vapi-chart/values.yaml`

*** Important *** 

The MYSQL_ROOT_PASSWORD on line 232 in the `values.yaml` must match that on line 184 in order to work. 

# Presented At

[OWASP 20th Anniversary](https://owasp20thanniversaryevent20.sched.com/event/ll1k)

[Blackhat Europe 2021 Arsenal](https://www.youtube.com/watch?v=7_Q5Rlm7Too)

[HITB Cyberweek 2021, Abu Dhabi, UAE](https://cyberweek.ae/2021/hitb-armory/)

[@Hack, Riyadh, KSA](https://athack.com/speakers?keys=Tushar)

# Upcoming

[APISecure.co](https://apisecure.co/)

# Mentions and References

[1] https://apisecurity.io/issue-132-experian-api-leak-breaches-digitalocean-geico-burp-plugins-vapi-lab/

[2] https://dsopas.github.io/MindAPI/references/

[3] https://dzone.com/articles/api-security-weekly-issue-132

[4] https://owasp.org/www-project-vulnerable-web-applications-directory/

[5] https://github.com/arainho/awesome-api-security

[6] https://portswigger.net/daily-swig/introducing-vapi-an-open-source-lab-environment-to-learn-about-api-security

[7] https://apisecurity.io/issue-169-insecure-api-wordpress-plugin-tesla-3rd-party-vulnerability-introducing-vapi/

# Walkthroughs/Writeups/Videos

[1] https://cyc0rpion.medium.com/exploiting-owasp-top-10-api-vulnerabilities-fb9d4b1dd471 (vAPI 1.0 Writeup)

[2] https://www.youtube.com/watch?v=0F5opL_c5-4&list=PLT1Gj1RmR7vqHK60qS5bpNUeivz4yhmbS (Turkish Language) (vAPI 1.1 Walkthrough)

[3] https://medium.com/@jyotiagarwal3190/roottusk-vapi-writeup-341ec99879c (vAPI 1.1 Writeup)

# Acknowledgements

* The icon and banner uses image from [Flaticon](https://www.flaticon.com/free-icon/bug_190835)