vAPI - Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises

vAPI - Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises
2022-4-19 22:38:15 Author: hakin9.org(查看原文) 阅读量:31 收藏

vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios in the means of Exercises.

PHP
MySQL
PostMan
MITM Proxy

Copying the Code

cd <your-hosting-directory>

git clone https://github.com/roottusk/vapi.git

Setting up the Database

Import vapi.sql into MySQL Database

Configure the DB Credentials in the vapi/.env

Starting MySQL service

Run following command (Linux)

Starting Laravel Server

Go to vapi directory and Run

Setting Up Postman

Import vAPI.postman_collection.json in Postman
Import vAPI_ENV.postman_environment.json in Postman

Use Public Workspace

https://www.postman.com/roottusk/workspace/vapi/

Browse http://localhost/vapi/ for Documentation

After Sending requests, refer to the Postman Tests or Environment for Generated Tokens

Helm can be used to deploy to a Kubernetes namespace. The chart is in the vapi-chart folder. The chart requires one secret named vapi with the following values:

DB_PASSWORD: <database password to use>
DB_USERNAME: <database username to use>

Sample Helm Install Command: helm upgrade --install vapi ./vapi-chart --values=./vapi-chart/values.yaml

*** Important ***

The MYSQL_ROOT_PASSWORD on line 232 in the values.yaml must match that on line 184 in order to work.

OWASP 20th Anniversary

Blackhat Europe 2021 Arsenal

HITB Cyberweek 2021, Abu Dhabi, UAE

@Hack, Riyadh, KSA

APISecure.co

[1] https://apisecurity.io/issue-132-experian-api-leak-breaches-digitalocean-geico-burp-plugins-vapi-lab/

[2] https://dsopas.github.io/MindAPI/references/

[3] https://dzone.com/articles/api-security-weekly-issue-132

[4] https://owasp.org/www-project-vulnerable-web-applications-directory/

[5] https://github.com/arainho/awesome-api-security

[6] https://portswigger.net/daily-swig/introducing-vapi-an-open-source-lab-environment-to-learn-about-api-security

[7] https://apisecurity.io/issue-169-insecure-api-wordpress-plugin-tesla-3rd-party-vulnerability-introducing-vapi/

[1] https://cyc0rpion.medium.com/exploiting-owasp-top-10-api-vulnerabilities-fb9d4b1dd471 (vAPI 1.0 Writeup)

[2] https://www.youtube.com/watch?v=0F5opL_c5-4&list=PLT1Gj1RmR7vqHK60qS5bpNUeivz4yhmbS (Turkish Language) (vAPI 1.1 Walkthrough)

[3] https://medium.com/@jyotiagarwal3190/roottusk-vapi-writeup-341ec99879c (vAPI 1.1 Writeup)

The icon and banner uses image from Flaticon

Original repository: https://github.com/roottusk/vapi

文章来源: https://hakin9.org/vapi-vulnerable-adversely-programmed-interface/
如有侵权请联系:admin#unsafe.sh