vAPI v1.3 releases: Vulnerable Adversely Programmed Interface

Vulnerable Adversely Programmed Interface

vAPI

vAPI is a Vulnerable Adversely Programmed Interface which is a Self-Hostable API that mimics OWASP API Top 10 scenarios in the means of Exercise.

The API used or developed might ease the development process but a lot of vulnerabilities can come up if not developed or configured properly. vAPI is a Vulnerable Adversely Programmed Interface in a Lab-like environment that mimics the scenarios from OWASP API Top 10 and helps the user understand and exploit the vulnerabilities according to OWASP API Top 10 2019. It might be useful for Developers as well as Penetration Testers to understand the type of vulnerabilities in APIs. The lab is divided into 10 exercises that sequentially demonstrate the vulnerabilities and give a flag if exploited successfully.

OWASP’s 2019 list documents the following causes:

  • API1:2019 Broken Object Level Authorization: exposed endpoints that handle object identifiers
  • API2:2019 Broken User Authentication: Failures to manage authentication correctly
  • API3:2019 Excessive Data Exposure: Includes object property exposures
  • API4:2019 Lack of Resources and Rate Limiting: No limits placed on resource sizes or numbers, potentially degrading performance and opening the way for brute-force attacks
  • API5:2019 Broken Function Level Authorization: Poor management of access controls
  • API6:2019 Mass Assignment: Filter failures, allowing malicious object modification
  • API7:2019 Security Misconfiguration: Default configurations, errors, and permissive cross-origin resource sharing
  • API8:2019 Injection: Including SQL, NoSQL, and command injection flaws
  • API9:2019 Improper Assets Management
  • API10:2019 Insufficient Logging and Monitoring

Changelog v1.3

New Challenges

  • JWT Token
  • SSRF (Server Side Request Forgery) (Note: Flag is only available in Docker Image)
  • XSS (Cross-Site Scripting)

What’s Changed

Install & Use

Copyright (C) 2022 roottusk