/vulnerable-api

Enhanced fork with logging, OpenAPI 3.0 and Python 3 for security monitoring workshops

Primary LanguagePython

What is vAPI

https://github.com/jorritfolmer/vulnerable-api/workflows/vAPI/badge.svg

vAPI is an API written specifically to illustrate common API vulnerabilities. It is implemented using Python Flask + Connexion and consists of a user database and a token database.

How is this version different from all the other vulnerable-API forks on GitHub?

  1. Python 3.6, 3.7, 3.8, 3.9 and 3.10 supported and tested.
  2. OpenAPI first, using Connexion
  3. Includes tests and an OpenAPI 3 fuzzer
  4. It adds a business relevant widget reservation endpoint.
  5. It adds basic application logging (vAPI.log) for purple teaming demo purposes!
  6. Log format is Splunk CIM compliant key=value right out of the box.

Usage

  1. git clone https://github.com/jorritfolmer/vulnerable-api.git
  2. virtualenv venv
  3. source venv/bin/activate
  4. pip install -r requirements
  5. python ./vAPI.py -p <port>
  6. have fun with OWASP ZAP, Burp or Postman

vAPI Process flow

  1. Request token from /tokens
    • Returns an auth token
    • Returns expiration date of auth token
    • Returns a user id
  2. Request widget reservation from /widget
    • Requires the auth token
  3. Request user record from /user/<user_id>
    • Requires the auth token
    • Returns the user record for the user specfied, provided the auth token is not expired and is valid for the user id specified
    • Each user can only access their own record

OpenAPI 3 spec

Also contained in this repo is the API specification file to load in e.g. Burp or OWASP ZAP for fun and profit.

  • OpenAPI Spec 3 (OAS3) file: openapi/vAPI.yaml

Known vulnerabilities

  1. Insecure transport
  2. User enumeration
  3. Information disclosure
  4. Authentication bypass
  5. No input validation
  6. SQL injection
  7. Weak session token crypto
  8. Poor session validation
  9. Plaintext storage of secrets
  10. Command injection
  11. Regex denial of service
  12. Cross Site Scripting
  13. XML XXE and billion laughs
  14. Missing security headers

Vulnerabilities per endpoint

method endpoint input vuln
GET / - 15
GET /tokens - 10
POST /tokens post 14
POST /tokens post:username 2, 6, 8, 13, 14
POST /tokens post:password 2, 6, 8, 13, 14
GET /user/{userid} header:x-auth-token 4, 6, 8, 9
GET /user/{userid} get: userid 2, 6, 10, 12
POST /user header:x-auth-token 4, 6, 8, 9
POST /user post:username 6, 9, 12, 13
POST /user post:username 6, 9, 13
GET /uptime{flag} - 11, 13
POST /widget header:x-auth-token 4, 6, 8, 9
POST /widget post:widget 12

Examples

/tokens endpoint

$ curl -X POST -H "Content-type: application/json" http://localhost:8081/tokens \
-d '
{
  "auth": {
    "passwordCredentials": {
      "username":"user1",
      "password":"pass1"
      }
  }
}'

/widget endpoint

POST /widget HTTP/1.1
Content-Type: application/json
X-Auth-Token: USER TOKEN

{"widget":
    {"name": "widget01"}
}

/user endpoint

POST /user HTTP/1.1
Content-type: application/json
X-Auth-Token: ADMIN TOKEN

{"user":
	{"username": "user",
	"password": "pass"}
}

Docker

  1. docker build -t vapi .
  2. docker run -p 8081:8081 vapi

Testing

From the project root:

pip install -r requirements-test.txt
coverage run -m unittest
coverage report -m