vAPI v1.3 releases: Vulnerable Adversely Programmed Interface

by do son · Published February 15, 2022 · Updated November 27, 2022

vAPI

vAPI is a Vulnerable Adversely Programmed Interface which is a Self-Hostable API that mimics OWASP API Top 10 scenarios in the means of Exercise.

The API used or developed might ease the development process but a lot of vulnerabilities can come up if not developed or configured properly. vAPI is a Vulnerable Adversely Programmed Interface in a Lab-like environment that mimics the scenarios from OWASP API Top 10 and helps the user understand and exploit the vulnerabilities according to OWASP API Top 10 2019. It might be useful for Developers as well as Penetration Testers to understand the type of vulnerabilities in APIs. The lab is divided into 10 exercises that sequentially demonstrate the vulnerabilities and give a flag if exploited successfully.

OWASP’s 2019 list documents the following causes:

API1:2019 Broken Object Level Authorization: exposed endpoints that handle object identifiers
API2:2019 Broken User Authentication: Failures to manage authentication correctly
API3:2019 Excessive Data Exposure: Includes object property exposures
API4:2019 Lack of Resources and Rate Limiting: No limits placed on resource sizes or numbers, potentially degrading performance and opening the way for brute-force attacks
API5:2019 Broken Function Level Authorization: Poor management of access controls
API6:2019 Mass Assignment: Filter failures, allowing malicious object modification
API7:2019 Security Misconfiguration: Default configurations, errors, and permissive cross-origin resource sharing
API8:2019 Injection: Including SQL, NoSQL, and command injection flaws
API9:2019 Improper Assets Management
API10:2019 Insufficient Logging and Monitoring