VAmPI: Vulnerable REST API with OWASP top 10 vulnerabilities for security testing
VAmPI
VAmPI is a vulnerable API made with Flask and it includes vulnerabilities from the OWASP top 10 vulnerabilities for APIs. It was created as I wanted a vulnerable API to evaluate the efficiency of tools used to detect security issues in APIs. It includes a switch on/off to allow the API to be vulnerable or not while testing. This allows to cover better the cases for false positives/negatives. VAmPI can also be used for learning/teaching purposes. You can find a bit more details about the vulnerabilities in erev0s.com.
Feature
- Based on OWASP Top 10 vulnerabilities for APIs.
- OpenAPI3 specs and Postman Collection included.
- Global switch on/off to have a vulnerable environment or not.
- Token-Based Authentication (Adjust lifetime from within app.py)
- Available Swagger UI to directly interact with the API
VAmPI’s flow of actions is going like this: an unregistered user can see minimal information about the dummy users included in the API. A user can register and then login to be allowed using the token received during login to post a book. For a book posted the data accepted are the title and a secret about that book. Each book is unique for every user and only the owner of the book should be allowed to view the secret.
A quick rundown of the actions included can be seen in the following table:
| Action | Path | Details |
|---|---|---|
| GET | /createdb | Creates and populates the database with dummy data |
| GET | / | VAmPI home |
| GET | /users/v1 | Displays all users with basic information |
| GET | /users/v1/_debug | Displays all details for all users |
| POST | /users/v1/register | Register new user |
| POST | /users/v1/login | Login to VAmPI |
| GET | /users/v1/{username} | Displays user by username |
| DELETE | /users/v1/{username} | Deletes user by username (Only Admins) |
| PUT | /users/v1/{username}/email | Update a single users email |
| PUT | /users/v1/{username}/password | Update users password |
| GET | /books/v1 | Retrieves all books |
| POST | /books/v1 | Add new book |
| GET | /books/v1/{book} | Retrieves book by title along with secret |
For more details you can either run VAmPI and visit http://127.0.0.1:5000/ui/ or use a service like the swagger editor supplying the OpenAPI specification which can be found in the directory openapi_specs.
List of Vulnerabilities
- SQLi Injection
- Unauthorized Password Change
- Broken Object Level Authorization
- Mass Assignment
- Excessive Data Exposure through debug endpoint
- User and Password Enumeration
- RegexDOS (Denial of Service)
- Lack of Resources & Rate Limiting
- JWT authentication bypass via weak signing key
