VAmPI: Vulnerable REST API with OWASP top 10 vulnerabilities
VAmPI
The Vulnerable API (Based on OpenAPI 3)
VAmPI is a vulnerable API made with Flask and it includes vulnerabilities from the OWASP top 10 vulnerabilities for APIs. It was created as I wanted a vulnerable API to evaluate the efficiency of tools used to detect security issues in APIs. It includes a switch on/off to allow the API to be vulnerable or not while testing. This allows us to cover better the cases for false positives/negatives. VAmPI can also be used for learning/teaching purposes. You can find a bit more details about the vulnerabilities on erev0s.com.
Features
- Based on OWASP Top 10 vulnerabilities for APIs.
- OpenAPI3 specs and Postman Collection included.
- Global switch on/off to have a vulnerable environment or not.
- Token-Based Authentication (Adjust lifetime from within app.py)
VAmPI’s flow of actions is going like this: an unregistered user can see minimal information about the dummy users included in the API. A user can register and then login to be allowed using the token received during login to post a book. For a book posted the data accepted are the title and a secret about that book. Each book is unique for every user and only the owner of the book should be allowed to view the secret.
A quick rundown of the actions included can be seen in the following table:
Action | Path | Details |
---|---|---|
GET | /createdb | Creates and populates the database with dummy data |
GET | / | VAmPI home |
GET | /users/v1 | Displays all users with basic information |
GET | /users/v1/_debug | Displays all details for all users |
POST | /users/v1/register | Register new user |
POST | /users/v1/login | Login to VAmPI |
GET | /users/v1/{username} | Displays user by username |
DELETE | /users/v1/{username} | Deletes user by username (Only Admins) |
PUT | /users/v1/{username}/email | Update a single users email |
PUT | /users/v1/{username}/password | Update users password |
GET | /books/v1 | Retrieves all books |
POST | /books/v1 | Add new book |
GET | /books/v1/{book} | Retrieves book by title along with secret |
For more details, you can use a service like the swagger editor supplying it the OpenAPI specification which can be found in the directory openapi_specs.
List of Vulnerabilities
- SQLi Injection
- Unauthorized Password Change
- Broken Object Level Authorization
- Mass Assignment
- Excessive Data Exposure through debug endpoint
- User and Password Enumeration
- RegexDOS (Denial of Service)
- Lack of Resources & Rate Limiting
Install
Copyright (c) 2020 erev0s