vAPI

vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios in the means of Exercises

Github link: https://github.com/roottusk/vapi

API1 - Broken Object Level Authorization

You can register yourself as a User , Thats it ....or is there something more?

Create a User

The other endpoints require the base64 of username:password as the token.

Proxy the request to Burp suite. Due to the BOLA , it is possible to view the details of the other accounts.

Using the PUT endpoint, it is possible to update other users details.

API2 - Broken Authentication

We don't seem to have credentials for this , How do we login? (There's something in the Resources Folder given to you )

Checking the resources folder there is a CVS with creds. Use Burp intruder with the pitchfork to brute force the credentials. Once a valid set is found, an access token is returned which can be used for the remaining endpoint, which revels the flag.

API4 - Lack of Resources & Rate Limiting

We believe OTPs are a great way of authenticating users and secure too if implemented correctly!

Login using the login endpoint.

When trying the OTP, it's incorrect. Send the request to intruder to brute force the OTP.

API5 - Broken Function Level Authorization

You can register yourself as a User. Thats it or is there something more? (I heard admin logins often but uses different route)

Create a new user.

Changing the method to GET and the path to /vapi/api5/users reveals the flag.

API6 - Mass Assignment

Welcome to our store , We will give you credits if you behave nicely. Our credit management is super secure

Create a user.

Use token to access next endpoint. Shows the user's credit.

When creating new user, add the credit to the JSON and view the flag.

API7 - Security Misconfiguration

Hey , its an API right? so we ARE expecting Cross Origin Requests . We just hope it works fine.

Create user, login, add origin header to get the flag.

API8 - Injection

I think you won't get credentials for this.You can try to login though.

Save the query from Burp and use SQLMap.

Listing the tables

API9 - Improper Assets Management

Hey Good News!!!!! We just launched our v2 API :)

Rate limiting is enabled on v2, but not v1 . So change the path and then brute force the pin to get the flag

API10 - Insufficient Logging and monitoring

PreviouscrAPINextMobile

Last updated