The Vulnerable NestJS API (Based on OpenAPI 3)
VuNAPI is a vulnerable API made with NestJS that contains various vulnerabilities. During my thesis on fuzzing, I found that previous vulnerable APIs did not meet my requirements, so I decided to implement this application. It includes an on/off switch to enable vulnerabilities for specific scenarios and allows you to choose the type of authentication you want to use. VuNAPI can also be used for learning and teaching purposes.
You can find more details about the vulnerabilities in this document.
- 📄 OpenAPI3 specs included.
- 2️⃣ HTTP/2 support
- 🔒 HTTPS On/Off Switch
- 🔄 Global switch to toggle specific vulnerable scenarios.
- 🔒 Selectable authentication methods: JWT, Basic, or no authentication.
- 🖥️ Available Swagger UI to directly interact with the API.
| Action | Path | Details |
|---|---|---|
| default | ||
| HEAD | /isAlive | Check if VuNAPI is running |
| GET | /testStatusCodes | Returns different status codes than specified |
| GET | /kill | Shut down the server |
| GET | /redos | Check if email is valid |
| GET | /exec | Execute any cmd command |
| person | ||
| POST | /person | Create a new person |
| PUT | /person/{id} | Update data of a person |
| DELETE | /person/{id} | Delete a person |
| persons | ||
| GET | /persons | Retrieve all persons |
| GET | /persons/{id} | Retrieve specific person by ID |
| login | ||
| POST | /login | Login to VuNAPI |
| resource | ||
| POST | /resource | Create a new resource |
| PUT | /resource/{id}/lock | Lock a resource |
| PUT | /resource/{id}/unlock | Unlock a resource |
For more details, you can either run VuNAPI and visit http://127.0.0.1:3000/api or use a service like the Swagger Editor by supplying the OpenAPI specification which can be downloaded from http://127.0.0.1:3000/api-json.
VuNAPI is designed to work with Docker. This is the only way to enable/disable different vulnerabilities and choose between various authentication methods.
Before starting VuNAPI, you must first decide which authentication method to use.
You can choose between three types of authorization: no-auth, basic-auth, or jwt-auth.
For example, to run VuNAPI without authentication, simply run in the root directory:
docker-compose up --build no-authBy default, all options are enabled. This means, VuNAPI is running by default using HTTP/2 over HTTPS. You can disable the following:
By default, rate limiting is enabled so that VuNAPI behaves like a real API. This can be disabled with the following option:
DISABLE_RATE_LIMITING=true
By default VuNAPI uses HTTP/2 over HTTPS. But it is possible to switch to HTTP/1.1 by using:
DISABLE_HTTP2=true.
If you use this option, HTTP/1.1 is used, but HTTPS is still enabled.
When using HTTP/2, HTTPS cannot be disabled. But if you want to use HTTP/1.1 without HTTPS, add the following option:
DISABLE_HTTPS=true.
Make sure, you are also disabling HTTP/2!
By default, the /kill endpoint is enabled. This can be disabled by using:
DISABLE_KILL_ENDPOINT=true
By default, the RegexDoS vulnerability is enabled. This can be disabled with the following option:
DISABLE_REDOS=true
By default, the OS command injection vulnerability is enabled. This can be disabled with the following option:
DISABLE_CMD_INJECTION=true
By default, the logical-order error vulnerability is enabled. This can be disabled with the following option:
DISABLE_LOGICAL_ORDER_ERROR=true
You can find more details about the vulnerabilities in this document
We welcome and encourage contributions from the community! Here are some ways you can get involved:
- Fork the Repo: Feel free to fork the repository and experiment with your own changes.
- Create Issues: If you encounter any bugs or have suggestions for new features, please create an issue. This helps us keep track of what needs attention.
- Submit Pull Requests: If you've made improvements or fixed bugs, submit a pull request. We love to see contributions from the community and will review them promptly.
- Ask Questions: If you have any questions or need clarification on anything, don't hesitate to ask. We're here to help!
Your contributions make this project great. Thank you for your support and stay safe! 💖