In our recent webinar, we delved into the concept of creating an API security playground tailored for both developer and security teams. The core idea revolves around utilizing intentionally vulnerable APIs as training tools. In this blog post, we'll present a curated list of such APIs, each with its own unique set of characteristics. Some projects are built on REST architecture, while others utilize GraphQL, offering a variety of options to suit your organization's specific needs.

These projects serve as invaluable resources for both security and development teams aiming to deepen their understanding of API security. By working with these intentionally flawed APIs, teams can practice identifying and mitigating vulnerabilities in a controlled environment. This hands-on approach not only enhances their technical skills but also prepares them for real-world scenarios where API security is crucial.

Whether your team is new to API security or looking to sharpen their existing skills, these projects provide the perfect sandbox for experimentation and learning. By integrating these resources into your training regimen, you can foster a culture of security awareness and continuous improvement within your organization.

crAPI from OWASP

crAPI (Completely Ridiculous API) is an OWASP project that simulates an API-driven, microservice-based web application filled with vulnerabilities from the OWASP API Security Top 10.

Key features:

• Specializes in common vulnerabilities found in modern API-based applications
• Challenges based on real-life vulnerabilities found in APIs of big companies
• Offers a range of difficulty levels for learning and practice

Deployed with Docker.
https://github.com/OWASP/crAPI

VAmPI

VAmPI (Vulnerable API) is a vulnerable API made with Flask that includes vulnerabilities from the OWASP Top 10 for APIs.

What it offers:

• OpenAPI3 specs and Postman Collection included
• A global switch to toggle between vulnerable and secure environments
• Token-based authentication and Swagger UI for interaction
• Covers vulnerabilities like SQLi, unauthorized password changes, broken object-level authorization, and more

VAmPI is coded in Python (Flask0, and deployed with Docker. Postman collection provided.
https://github.com/erev0s/VAmPI

vAPI

First presented at Blackhat Arsenal 2021, vAPI stands for Vulnerable Adversely Programmed Interface, a self-hosted API that mimics the OWASP API Top 10 scenarios in the form of exercises.

Key features:

• Comes with the exercises
• The Postman collection is also included

Developed in PHP. Deployed as Docker.
https://github.com/roottusk/vapi

Damn Vulnerable GraphQL Application (DVGA)

DVGA is an intentionally vulnerable GraphQL application designed to help security professionals and developers understand common GraphQL vulnerabilities.

Highlights:

• Focuses specifically on GraphQL vulnerabilities
• Includes authentication bypass, injection, and more
• Provides a playground for hands-on testing

Deployed as Docker. 
https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application

OWASP Juice Shop

OWASP Juice Shop is a popular open-source project that provides vulnerable web applications and APIs. It covers a wide range of vulnerabilities, including those from the OWASP API Security Top 10.

Key features:

• REST API with various vulnerabilities
• Covers authentication, authorization, injection, and more
• Includes a comprehensive tutorial and documentation

Developed in Node.js. Deployed as Docker.

DVWS-node - Deployed as Docker

Damn Vulnerable Web Services is a vulnerable application with a web service and an API that can be used to learn about web services/API-related vulnerabilities.

Key features:

• A good list of provided vulnerabilities
• Offers solutions for those who are stuck

Deployed as Docker.
https://github.com/snoopysecurity/dvws-node

Damn Vulnerable RESTaurant

Damn Vulnerable RESTaurant is an intentionally vulnerable API service designed for learning and training purposes. It focuses on identifying and fixing web API security vulnerabilities in a Python FastAPI-based restaurant API.

Highlights:

• Beneficial for Python developers, ethical hackers, and security engineers
• Vulnerabilities cover the most popular API issues, including OWASP's Top 10 API Security Risks
• It can be extended with new vulnerable endpoints and mechanisms for training sessions

Deployed as Docker.
https://github.com/theowni/Damn-Vulnerable-RESTaurant-API-Game

Conclusion

Exploring intentionally vulnerable API projects helps security professionals and developers gain practical experience in identifying and mitigating API vulnerabilities. These projects provide a safe, controlled environment where teams can hone their skills and enhance their understanding of API security. It's also common to use these projects in lab environments to test the efficiency of various API security products and tools. By practicing with these flawed APIs, teams can better prepare for real-world scenarios, improving their ability to protect against potential threats and ensuring the robustness of their security measures.