Home

Awesome

VAmPI

The Vulnerable API (Based on OpenAPI 3) vampi

Docker Image CI Docker Pulls

VAmPI is a vulnerable API made with Flask and it includes vulnerabilities from the OWASP top 10 vulnerabilities for APIs. It was created as I wanted a vulnerable API to evaluate the efficiency of tools used to detect security issues in APIs. It includes a switch on/off to allow the API to be vulnerable or not while testing. This allows to cover better the cases for false positives/negatives. VAmPI can also be used for learning/teaching purposes. You can find a bit more details about the vulnerabilities in erev0s.com.

Features

VAmPI's flow of actions is going like this: an unregistered user can see minimal information about the dummy users included in the API. A user can register and then login to be allowed using the token received during login to post a book. For a book posted the data accepted are the title and a secret about that book. Each book is unique for every user and only the owner of the book should be allowed to view the secret.

A quick rundown of the actions included can be seen in the following table:

ActionPathDetails
GET/createdbCreates and populates the database with dummy data
GET/VAmPI home
GET/meDisplays the user that is logged in
GET/users/v1Displays all users with basic information
GET/users/v1/_debugDisplays all details for all users
POST/users/v1/registerRegister new user
POST/users/v1/loginLogin to VAmPI
GET/users/v1/{username}Displays user by username
DELETE/users/v1/{username}Deletes user by username (Only Admins)
PUT/users/v1/{username}/emailUpdate a single users email
PUT/users/v1/{username}/passwordUpdate users password
GET/books/v1Retrieves all books
POST/books/v1Add new book
GET/books/v1/{book}Retrieves book by title along with secret

For more details you can either run VAmPI and visit http://127.0.0.1:5000/ui/ or use a service like the swagger editor supplying the OpenAPI specification which can be found in the directory openapi_specs.

List of Vulnerabilities

Run it

It is a Flask application so in order to run it you can install all requirements and then run the app.py. To install all requirements simply run pip3 install -r requirements.txt and then python3 app.py.

Or if you prefer you can also run it through docker or docker compose.

Run it through Docker

docker run -p 5000:5000 erev0s/vampi:latest

[Note: if you run Docker on newer versions of the MacOS, use -p 5001:5000 to avoid conflicting with the AirPlay Receiver service. Alternatively, you could disable the AirPlay Receiver service in your System Preferences -> Sharing settings.]

Run it through Docker Compose

docker-compose contains two instances, one instance with the secure configuration on port 5001 and another with insecure on port 5002:

docker-compose up -d

Available Swagger UI :rocket:

Visit the path /ui where you are running the API and a Swagger UI will be available to help you get started!

http://127.0.0.1:5000/ui/

Customizing token timeout and vulnerable environment or not

If you would like to alter the timeout of the token created after login or if you want to change the environment not to be vulnerable then you can use a few ways depending how you run the application.

Frequently asked questions

Picture from freepik - www.freepik.com