Skip to content

jorritfolmer/vulnerable-api

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

112 Commits

.github/workflows

.github/workflows

 
 

openapi

openapi

 
 

test

test

 
 

.coveragerc

.coveragerc

 
 

.dockerignore

.dockerignore

 
 

.gitignore

.gitignore

 
 

Dockerfile

Dockerfile

 
 

README.md

README.md

 
 

requirements-test.txt

requirements-test.txt

 
 

requirements.txt

requirements.txt

 
 

vAPI.db

vAPI.db

 
 

vAPI.py

vAPI.py

 
 

Repository files navigation

What is vAPI

https://github.com/jorritfolmer/vulnerable-api/workflows/vAPI/badge.svg

vAPI is an API written specifically to illustrate common API vulnerabilities. It is implemented using Python Flask + Connexion and consists of a user database and a token database.

How is this version different from all the other vulnerable-API forks on GitHub?

  1. Python 3.6, 3.7, 3.8, 3.9 and 3.10 supported and tested.
  2. OpenAPI first, using Connexion
  3. Includes tests and an OpenAPI 3 fuzzer
  4. It adds a business relevant widget reservation endpoint.
  5. It adds basic application logging (vAPI.log) for purple teaming demo purposes!
  6. Log format is Splunk CIM compliant key=value right out of the box.

Usage

  1. git clone https://github.com/jorritfolmer/vulnerable-api.git
  2. virtualenv venv
  3. source venv/bin/activate
  4. pip install -r requirements
  5. python ./vAPI.py -p <port>
  6. have fun with OWASP ZAP, Burp or Postman

vAPI Process flow

  1. Request token from /tokens
    • Returns an auth token
    • Returns expiration date of auth token
    • Returns a user id
  2. Request widget reservation from /widget
    • Requires the auth token
  3. Request user record from /user/<user_id>
    • Requires the auth token
    • Returns the user record for the user specfied, provided the auth token is not expired and is valid for the user id specified
    • Each user can only access their own record

OpenAPI 3 spec

Also contained in this repo is the API specification file to load in e.g. Burp or OWASP ZAP for fun and profit.

  • OpenAPI Spec 3 (OAS3) file: openapi/vAPI.yaml

Known vulnerabilities

  1. Insecure transport
  2. User enumeration
  3. Information disclosure
  4. Authentication bypass
  5. No input validation
  6. SQL injection
  7. Weak session token crypto
  8. Poor session validation
  9. Plaintext storage of secrets
  10. Command injection
  11. Regex denial of service
  12. Cross Site Scripting
  13. XML XXE and billion laughs
  14. Missing security headers

Vulnerabilities per endpoint

method endpoint input vuln
GET / - 15
GET /tokens - 10
POST /tokens post 14
POST /tokens post:username 2, 6, 8, 13, 14
POST /tokens post:password 2, 6, 8, 13, 14
GET /user/{userid} header:x-auth-token 4, 6, 8, 9
GET /user/{userid} get: userid 2, 6, 10, 12
POST /user header:x-auth-token 4, 6, 8, 9
POST /user post:username 6, 9, 12, 13
POST /user post:username 6, 9, 13
GET /uptime{flag} - 11, 13
POST /widget header:x-auth-token 4, 6, 8, 9
POST /widget post:widget 12

Examples

/tokens endpoint

$ curl -X POST -H "Content-type: application/json" http://localhost:8081/tokens \
-d '
{
  "auth": {
    "passwordCredentials": {
      "username":"user1",
      "password":"pass1"
      }
  }
}'

/widget endpoint

POST /widget HTTP/1.1
Content-Type: application/json
X-Auth-Token: USER TOKEN

{"widget":
    {"name": "widget01"}
}

/user endpoint

POST /user HTTP/1.1
Content-type: application/json
X-Auth-Token: ADMIN TOKEN

{"user":
	{"username": "user",
	"password": "pass"}
}

Docker

  1. docker build -t vapi .
  2. docker run -p 8081:8081 vapi

Testing

From the project root:

pip install -r requirements-test.txt
coverage run -m unittest
coverage report -m

About

Enhanced fork with logging, OpenAPI 3.0 and Python 3 for security monitoring workshops

Resources

Readme
Activity

Stars

38 stars

Watchers

2 watching

Forks

24 forks
Report repository

Languages

  • Python 99.3%
  • Dockerfile 0.7%