Skip to content
/ vapi Public

vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.

License

Notifications You must be signed in to change notification settings

roottusk/vapi

Repository files navigation

vAPI Tweet

Docker Build Status License: GPL v3 Version PHP Laravel Issues

vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios in the means of Exercises.

Requirements

  • PHP
  • MySQL
  • PostMan
  • MITM Proxy

Installation (Docker)

docker-compose up -d

Installation (Manual)

Copying the Code

cd <your-hosting-directory>
git clone https://github.com/roottusk/vapi.git

Setting up the Database

Import vapi.sql into MySQL Database

Configure the DB Credentials in the vapi/.env

Starting MySQL service

Run following command (Linux)

service mysqld start

Starting Laravel Server

Go to vapi directory and Run

php artisan serve

Setting Up Postman

  • Import vAPI.postman_collection.json in Postman
  • Import vAPI_ENV.postman_environment.json in Postman

OR

Use Public Workspace

https://www.postman.com/roottusk/workspace/vapi/

Usage

Browse http://localhost/vapi/ for Documentation

After Sending requests, refer to the Postman Tests or Environment for Generated Tokens

Deployment

Helm can be used to deploy to a Kubernetes namespace. The chart is in the vapi-chart folder. The chart requires one secret named vapi with the following values:

DB_PASSWORD: <database password to use>
DB_USERNAME: <database username to use>

Sample Helm Install Command: helm upgrade --install vapi ./vapi-chart --values=./vapi-chart/values.yaml

*** Important ***

The MYSQL_ROOT_PASSWORD on line 232 in the values.yaml must match that on line 184 in order to work.

Presented At

OWASP 20th Anniversary

Blackhat Europe 2021 Arsenal

HITB Cyberweek 2021, Abu Dhabi, UAE

@Hack, Riyadh, KSA

Upcoming

APISecure.co

Mentions and References

[1] https://apisecurity.io/issue-132-experian-api-leak-breaches-digitalocean-geico-burp-plugins-vapi-lab/

[2] https://dsopas.github.io/MindAPI/references/

[3] https://dzone.com/articles/api-security-weekly-issue-132

[4] https://owasp.org/www-project-vulnerable-web-applications-directory/

[5] https://github.com/arainho/awesome-api-security

[6] https://portswigger.net/daily-swig/introducing-vapi-an-open-source-lab-environment-to-learn-about-api-security

[7] https://apisecurity.io/issue-169-insecure-api-wordpress-plugin-tesla-3rd-party-vulnerability-introducing-vapi/

Walkthroughs/Writeups/Videos

[1] https://cyc0rpion.medium.com/exploiting-owasp-top-10-api-vulnerabilities-fb9d4b1dd471 (vAPI 1.0 Writeup)

[2] https://www.youtube.com/watch?v=0F5opL_c5-4&list=PLT1Gj1RmR7vqHK60qS5bpNUeivz4yhmbS (Turkish Language) (vAPI 1.1 Walkthrough)

[3] https://medium.com/@jyotiagarwal3190/roottusk-vapi-writeup-341ec99879c (vAPI 1.1 Writeup)

Acknowledgements

  • The icon and banner uses image from Flaticon