vAPI - Vulnerable Adversely Programmed Interface Which Is Self-Hostable API That Mimics OWASP API Top 10 Scenarios Through Exercises
vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios in the means of Exercises.
Requirements
- PHP
- MySQL
- PostMan
- MITM Proxy
Installation (Docker)
docker-compose up -d
Installation (Manual)
Copying the Code
cd <your-hosting-directory>
git clone https://github.com/roottusk/vapi.git
Setting up the Database
Import vapi.sql
into MySQL Database
Configure the DB Credentials in the vapi/.env
Starting MySQL service
Run following command (Linux)
service mysqld start
Starting Laravel Server
Go to vapi
directory and Run
php artisan serve
Setting Up Postman
- Import
vAPI.postman_collection.json
in Postman - Import
vAPI_ENV.postman_environment.json
in Postman
OR
Use Public Workspace
https://www.postman.com/roottusk/workspace/vapi/
Usage
Browse http://localhost/vapi/
for Documentation
After Sending requests, refer to the Postman Tests or Environment for Generated Tokens
Deployment
Helm can be used to deploy to a Kubernetes namespace. The chart is in the vapi-chart
folder. The chart requires one secret named vapi
with the following values:
DB_PASSWORD: <database password to use>
DB_USERNAME: <database username to use>
Sample Helm Install Command: helm upgrade --install vapi ./vapi-chart --values=./vapi-chart/values.yaml
*** Important ***
The MYSQL_ROOT_PASSWORD on line 232 in the values.yaml
must match that on line 184 in order to work.
Presented At
HITB Cyberweek 2021, Abu Dhabi, UAE
Upcoming
Mentions and References
[2] https://dsopas.github.io/MindAPI/references/
[3] https://dzone.com/articles/api-security-weekly-issue-132
[4] https://owasp.org/www-project-vulnerable-web-applications-directory/
[5] https://github.com/arainho/awesome-api-security
Walkthroughs/Writeups/Videos
[1] https://cyc0rpion.medium.com/exploiting-owasp-top-10-api-vulnerabilities-fb9d4b1dd471 (vAPI 1.0 Writeup)
[2] https://www.youtube.com/watch?v=0F5opL_c5-4&list=PLT1Gj1RmR7vqHK60qS5bpNUeivz4yhmbS (Turkish Language) (vAPI 1.1 Walkthrough)
[3] https://medium.com/@jyotiagarwal3190/roottusk-vapi-writeup-341ec99879c (vAPI 1.1 Writeup)
Acknowledgements
- The icon and banner uses image from Flaticon