vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios in the means of Exercises.
- PHP
- MySQL
- PostMan
- MITM Proxy
docker-compose up -d
You can clone new code but may need to run the following for a fresh spin before running docker-compose
docker rm -f $(docker ps -a -q)
docker volume rm $(docker volume ls -q)
cd <your-hosting-directory>
git clone https://github.com/roottusk/vapi.git
Import vapi.sql
into MySQL Database
Configure the DB Credentials in the vapi/.env
Run following command (Linux)
service mysqld start
Go to vapi
directory and Run
php artisan serve
- Import
vAPI.postman_collection.json
in Postman - Import
vAPI_ENV.postman_environment.json
in Postman
OR
Use Public Workspace
https://www.postman.com/roottusk/workspace/vapi/
Browse http://localhost/vapi/
for Documentation
After Sending requests, refer to the Postman Tests or Environment for Generated Tokens
[2] https://dsopas.github.io/MindAPI/references/
[3] https://dzone.com/articles/api-security-weekly-issue-132
[4] https://owasp.org/www-project-vulnerable-web-applications-directory/
[5] https://github.com/arainho/awesome-api-security
[1] https://cyc0rpion.medium.com/exploiting-owasp-top-10-api-vulnerabilities-fb9d4b1dd471
- The icon and banner uses image from Flaticon