vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.
vAPI 
vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios in the means of Exercises.
Requirements
- PHP
- MySQL
- PostMan
- MITM Proxy
Installation (Docker)
docker-compose up -d
Installation (Manual)
Copying the Code
cd <your-hosting-directory>
git clone https://github.com/roottusk/vapi.git
Setting up the Database
Import vapi.sql into MySQL Database
Configure the DB Credentials in the vapi/.env
Starting MySQL service
Run following command (Linux)
service mysqld start
Starting Laravel Server
Go to vapi directory and Run
php artisan serve
Setting Up Postman
- Import
vAPI.postman_collection.jsonin Postman - Import
vAPIENV.postmanenvironment.jsonin Postman
Use Public Workspace
https://www.postman.com/roottusk/workspace/vapi/
Usage
Browse http://localhost/vapi/ for Documentation
After Sending requests, refer to the Postman Tests or Environment for Generated Tokens
Deployment
Helm can be used to deploy to a Kubernetes namespace. The chart is in the vapi-chart folder. The chart requires one secret named vapi with the following values:
DB_PASSWORD: <database password to use>
DB_USERNAME: <database username to use>
Sample Helm Install Command: helm upgrade --install vapi ./vapi-chart --values=./vapi-chart/values.yaml
Important
The MYSQLROOTPASSWORD on line 232 in the values.yaml must match that on line 184 in order to work.
Presented At
OWASP 20th AnniversaryHITB Cyberweek 2021, Abu Dhabi, UAE
Upcoming
Mentions and References
[1] https://apisecurity.io/issue-132-experian-api-leak-breaches-digitalocean-geico-burp-plugins-vapi-lab/[2] https://dsopas.github.io/MindAPI/references/
[3] https://dzone.com/articles/api-security-weekly-issue-132
[4] https://owasp.org/www-project-vulnerable-web-applications-directory/
[5] https://github.com/arainho/awesome-api-security
[6] https://portswigger.net/daily-swig/introducing-vapi-an-open-source-lab-environment-to-learn-about-api-security
[7] https://apisecurity.io/issue-169-insecure-api-wordpress-plugin-tesla-3rd-party-vulnerability-introducing-vapi/
Walkthroughs/Writeups/Videos
[1] https://cyc0rpion.medium.com/exploiting-owasp-top-10-api-vulnerabilities-fb9d4b1dd471 (vAPI 1.0 Writeup)
[2] https://www.youtube.com/watch?v=0F5opL_c5-4&list=PLT1Gj1RmR7vqHK60qS5bpNUeivz4yhmbS (Turkish Language) (vAPI 1.1 Walkthrough)
[3] https://medium.com/@jyotiagarwal3190/roottusk-vapi-writeup-341ec99879c (vAPI 1.1 Writeup)
Acknowledgements
- The icon and banner uses image from Flaticon