vAPI is an API written specifically to illustrate common API vulnerabilities. It is implemented using Python Flask + Connexion and consists of a user database and a token database.
- Python 3.6, 3.7, 3.8, 3.9 and 3.10 supported and tested.
- OpenAPI first, using Connexion
- Includes tests and an OpenAPI 3 fuzzer
- It adds a business relevant widget reservation endpoint.
- It adds basic application logging (vAPI.log) for purple teaming demo purposes!
- Log format is Splunk CIM compliant key=value right out of the box.
git clone https://github.com/jorritfolmer/vulnerable-api.git
virtualenv venv
source venv/bin/activate
pip install -r requirements
python ./vAPI.py -p <port>
- have fun with OWASP ZAP, Burp or Postman
- Request token from /tokens
- Returns an auth token
- Returns expiration date of auth token
- Returns a user id
- Request widget reservation from /widget
- Requires the auth token
- Request user record from /user/<user_id>
- Requires the auth token
- Returns the user record for the user specfied, provided the auth token is not expired and is valid for the user id specified
- Each user can only access their own record
Also contained in this repo is the API specification file to load in e.g. Burp or OWASP ZAP for fun and profit.
- OpenAPI Spec 3 (OAS3) file:
openapi/vAPI.yaml
- Insecure transport
- User enumeration
- Information disclosure
- Authentication bypass
- No input validation
- SQL injection
- Weak session token crypto
- Poor session validation
- Plaintext storage of secrets
- Command injection
- Regex denial of service
- Cross Site Scripting
- XML XXE and billion laughs
- Missing security headers
method | endpoint | input | vuln |
---|---|---|---|
GET | / | - | 15 |
GET | /tokens | - | 10 |
POST | /tokens | post | 14 |
POST | /tokens | post:username | 2, 6, 8, 13, 14 |
POST | /tokens | post:password | 2, 6, 8, 13, 14 |
GET | /user/{userid} | header:x-auth-token | 4, 6, 8, 9 |
GET | /user/{userid} | get: userid | 2, 6, 10, 12 |
POST | /user | header:x-auth-token | 4, 6, 8, 9 |
POST | /user | post:username | 6, 9, 12, 13 |
POST | /user | post:username | 6, 9, 13 |
GET | /uptime{flag} | - | 11, 13 |
POST | /widget | header:x-auth-token | 4, 6, 8, 9 |
POST | /widget | post:widget | 12 |
$ curl -X POST -H "Content-type: application/json" http://localhost:8081/tokens \
-d '
{
"auth": {
"passwordCredentials": {
"username":"user1",
"password":"pass1"
}
}
}'
POST /widget HTTP/1.1
Content-Type: application/json
X-Auth-Token: USER TOKEN
{"widget":
{"name": "widget01"}
}
POST /user HTTP/1.1
Content-type: application/json
X-Auth-Token: ADMIN TOKEN
{"user":
{"username": "user",
"password": "pass"}
}
docker build -t vapi .
docker run -p 8081:8081 vapi
From the project root:
pip install -r requirements-test.txt
coverage run -m unittest
coverage report -m