vAPI

vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios in the means of Exercises.

Requirements

• PHP
• MySQL
• PostMan
• MITM Proxy

Installation (Docker)

docker-compose up -d

Updating

You can clone new code but may need to run the following for a fresh spin before running docker-compose

docker rm -f $(docker ps -a -q)
docker volume rm $(docker volume ls -q)

Installation (Manual)

Copying the Code

cd <your-hosting-directory>

git clone https://github.com/roottusk/vapi.git

Setting up the Database

Import vapi.sql into MySQL Database

Configure the DB Credentials in the vapi/.env

Starting MySQL service

Run following command (Linux)

service mysqld start

Starting Laravel Server

Go to vapi directory and Run

php artisan serve

Setting Up Postman

• Import vAPI.postman_collection.json in Postman
• Import vAPI_ENV.postman_environment.json in Postman

OR

Use Public Workspace

https://www.postman.com/roottusk/workspace/vapi/

Usage

Browse http://localhost/vapi/ for Documentation

After Sending requests, refer to the Postman Tests or Environment for Generated Tokens

Presented At

OWASP 20th Anniversary

Upcoming

Blackhat Europe 2021 Arsenal

Mentions and References

[1] https://apisecurity.io/issue-132-experian-api-leak-breaches-digitalocean-geico-burp-plugins-vapi-lab/

[2] https://dsopas.github.io/MindAPI/references/

[3] https://dzone.com/articles/api-security-weekly-issue-132

[4] https://owasp.org/www-project-vulnerable-web-applications-directory/

[5] https://github.com/arainho/awesome-api-security

Walkthroughs/Writeups

[1] https://cyc0rpion.medium.com/exploiting-owasp-top-10-api-vulnerabilities-fb9d4b1dd471

Acknowledgements

• The icon and banner uses image from Flaticon