The Vulnerable API (Based on OpenAPI 3)
VAmPI is a vulnerable API made with Flask and it includes vulnerabilities from the OWASP top 10 vulnerabilities for APIs. It was created as I wanted a vulnerable API to evaluate the efficiency of tools used to detect security issues in APIs. It includes a switch on/off to allow the API to be vulnerable or not while testing. This allows to cover better the cases for false positives/negatives. VAmPI can also be used for learning/teaching purposes. You can find a bit more details about the vulnerabilities in erev0s.com.
- Based on OWASP Top 10 vulnerabilities for APIs.
- OpenAPI3 specs and Postman Collection included.
- Global switch on/off to have a vulnerable environment or not.
- Token-Based Authentication (Adjust lifetime from within app.py)
VAmPI`s flow of actions is going like this: an unregistered user can see minimal information about the dummy users included in the API. A user can register and then login to be allowed using the token received during login to post a book. For a book posted the data accepted are the title and a secret about that book. Each book is unique for every user and only the owner of the book should be allowed to view the secret.
A quick rundown of the actions included can be seen in the following table:
| Action | Path | Details |
|---|---|---|
| GET | /createdb | Creates and populates the database with dummy data |
| GET | / | VAmPI home |
| GET | /users/v1 | Displays all users with basic information |
| GET | /users/v1/_debug | Displays all details for all users |
| POST | /users/v1/register | Register new user |
| POST | /users/v1/login | Login to VAmPI |
| GET | /users/v1/{username} | Displays user by username |
| DELETE | /users/v1/{username} | Deletes user by username (Only Admins) |
| PUT | /users/v1/{username}/email | Update a single users email |
| PUT | /users/v1/{username}/password | Update users password |
| GET | /books/v1 | Retrieves all books |
| POST | /books/v1 | Add new book |
| GET | /books/v1/{book} | Retrieves book by title along with secret |
For more details you can use a service like the swagger editor supplying it the OpenAPI specification which can be found in the directory openapi_specs.
- SQLi Injection
- Unauthorized Password Change
- Broken Object Level Authorization
- Mass Assignment
- Excessive Data Exposure through debug endpoint
- User and Password Enumeration
- RegexDOS (Denial of Service)
- Lack of Resources & Rate Limiting
It is a Flask application so in order to run it you can install all requirements and then run the app.py.
To install all requirements simply run pip3 install -r requirements.txt and then python3 app.py.
Or if you prefer you can also run it through docker.
Build with
docker build -t vampi_docker:latest .
and Run (remove the -d if you want to see the output in your terminal)
docker run -d -p 5000:5000 vampi_docker:latest
If you would like to alter the timeout of the token created after login or if you want to change the environment not to be vulnerable then you can do that in two ways depending how you run the application.
- If you run it like normal with
python3 app.pythen all you have to do is edit thealiveandvulnvariables defined in theapp.pyitself. Thealivevariable is measured in seconds, so if you put100, then the token expires after 100 seconds. Thevulnvariable is like boolean, if you set it to1then the application is vulnerable, and if you set it to0the application is not vulnerable. - If you run it through docker, then you must edit the
Dockerfile. In there you will find two environment variables being set, theENV vulnerable=1and theENV tokentimetolive=60. Feel free to change it before running the docker build command.