VAmPI: Vulnerable REST API with OWASP top 10 vulnerabilities

Vulnerable REST API

VAmPI

The Vulnerable API (Based on OpenAPI 3)

VAmPI is a vulnerable API made with Flask and it includes vulnerabilities from the OWASP top 10 vulnerabilities for APIs. It was created as I wanted a vulnerable API to evaluate the efficiency of tools used to detect security issues in APIs. It includes a switch on/off to allow the API to be vulnerable or not while testing. This allows us to cover better the cases for false positives/negatives. VAmPI can also be used for learning/teaching purposes. You can find a bit more details about the vulnerabilities on erev0s.com.

Features

  • Based on OWASP Top 10 vulnerabilities for APIs.
  • OpenAPI3 specs and Postman Collection included.
  • Global switch on/off to have a vulnerable environment or not.
  • Token-Based Authentication (Adjust lifetime from within app.py)

VAmPI’s flow of actions is going like this: an unregistered user can see minimal information about the dummy users included in the API. A user can register and then login to be allowed using the token received during login to post a book. For a book posted the data accepted are the title and a secret about that book. Each book is unique for every user and only the owner of the book should be allowed to view the secret.

A quick rundown of the actions included can be seen in the following table:

Action Path Details
GET /createdb Creates and populates the database with dummy data
GET / VAmPI home
GET /users/v1 Displays all users with basic information
GET /users/v1/_debug Displays all details for all users
POST /users/v1/register Register new user
POST /users/v1/login Login to VAmPI
GET /users/v1/{username} Displays user by username
DELETE /users/v1/{username} Deletes user by username (Only Admins)
PUT /users/v1/{username}/email Update a single users email
PUT /users/v1/{username}/password Update users password
GET /books/v1 Retrieves all books
POST /books/v1 Add new book
GET /books/v1/{book} Retrieves book by title along with secret

For more details, you can use a service like the swagger editor supplying it the OpenAPI specification which can be found in the directory openapi_specs.

List of Vulnerabilities

  • SQLi Injection
  • Unauthorized Password Change
  • Broken Object Level Authorization
  • Mass Assignment
  • Excessive Data Exposure through debug endpoint
  • User and Password Enumeration
  • RegexDOS (Denial of Service)
  • Lack of Resources & Rate Limiting

Install

Copyright (c) 2020 erev0s