Damn Vulnerable RESTaurant: An intentionally vulnerable Web API game for learning and training

by do son · April 8, 2024

Damn Vulnerable RESTaurant

An intentionally vulnerable API service designed for learning and training purposes dedicated to developers, ethical hackers, and security engineers. The idea of the project is to provide an environment that can be easily extended with new vulnerable endpoints and mechanisms that could be used in training for detecting and exploiting identified vulnerabilities.

It’s a training playground:

For Developers – engage in a dedicated game where you will identify and fix vulnerabilities interactively.
For Ethical Hackers – exploit vulnerabilities manually or use automated tools. Treat it as a CTF challenge, you can start from a low-privileged API user and escalate to the root user. There is one path to achieve this. API docs are provided to facilitate your hacking adventure.
For Security Engineers – utilize various security automation tools such as SAST, DAST, IaC, etc., to test vulnerability detection mechanisms.

The application contains more vulnerabilities than those presented in the challenge, and various paths can be taken to achieve root access, starting from an unauthenticated API user. The vulnerabilities are associated with the OWASP Top 10 API Security Risks 2023 such as:

Insufficient Authorization Checks
Server-side Request Forgery (SSRF)
Remote Code Execution (RCE)
Broken Authentication and JWT Issues
Security Misconfigurations
Denial of Service Issues

Development Stack

It is developed with the Python FastAPI framework and uses the PostgreSQL database. The environment is containerized and can be easily deployed locally with Docker. With Python and FastAPI it’s rather simple to extend the application with new vulnerable features in a short amount of time.

Damn Vulnerable RESTaurant is not limited to any specific type of API, as endpoints may utilize REST API, GraphQL, and others. It’s a restaurant, so various dishes might be served there over time!