GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → roottusk → vapi

roottusk / vapi

Licence: GPL-3.0 license
vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.

Programming Languages

HTML
75241 projects
PHP
23972 projects - #3 most used programming language
Blade
752 projects

Labels

apidockercorsowasppostmanexercisesbugbountyappsechacktoberfestvulnerable-applicationowasp-top-10owasp-top-tenappsec-tutorialsapitop10hacktoberfest-accepted

Projects that are alternatives of or similar to vapi

juice-shop
OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
Stars: ✭ 7,533 (+1017.66%)
Mutual labels:  owasp, appsec, owasp-top-10, owasp-top-ten
Juice Shop
OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
Stars: ✭ 6,270 (+830.27%)
Mutual labels:  owasp, appsec, owasp-top-10, owasp-top-ten
tutorials
Additional Resources For Securing The Stack Tutorials
Stars: ✭ 36 (-94.66%)
Mutual labels:  owasp, appsec, appsec-tutorials
Resources-for-Application-Security
Some good resources for getting started with application security
Stars: ✭ 97 (-85.61%)
Mutual labels:  owasp, appsec, appsec-tutorials
sqlinjection-training-app
A simple PHP application to learn SQL Injection detection and exploitation techniques.
Stars: ✭ 56 (-91.69%)
Mutual labels:  appsec, owasp-top-10, owasp-top-ten
Wstg
The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.
Stars: ✭ 3,873 (+474.63%)
Mutual labels:  owasp, bugbounty
BugHunter
No description or website provided.
Stars: ✭ 23 (-96.59%)
Mutual labels:  cors, bugbounty
OversecuredVulnerableiOSApp
Oversecured Vulnerable iOS App
Stars: ✭ 138 (-79.53%)
Mutual labels:  appsec, vulnerable-application
Cazador unr
Hacking tools
Stars: ✭ 95 (-85.91%)
Mutual labels:  owasp, bugbounty
www-project-code-review-guide
OWASP Code Review Guide Web Repository
Stars: ✭ 74 (-89.02%)
Mutual labels:  owasp, appsec
zap-sonar-plugin
Integrates OWASP Zed Attack Proxy reports into SonarQube
Stars: ✭ 66 (-90.21%)
Mutual labels:  owasp, appsec
Zap Hud
The OWASP ZAP Heads Up Display (HUD)
Stars: ✭ 201 (-70.18%)
Mutual labels:  owasp, appsec
Sbt Dependency Check
SBT Plugin for OWASP DependencyCheck. Monitor your dependencies and report if there are any publicly known vulnerabilities (e.g. CVEs). 🌈
Stars: ✭ 187 (-72.26%)
Mutual labels:  owasp, appsec
Xrcross
XRCross is a Reconstruction, Scanner, and a tool for penetration / BugBounty testing. This tool was built to test (XSS|SSRF|CORS|SSTI|IDOR|RCE|LFI|SQLI) vulnerabilities
Stars: ✭ 175 (-74.04%)
Mutual labels:  cors, bugbounty
Securityrat
OWASP SecurityRAT (version 1.x) - Tool for handling security requirements in development
Stars: ✭ 115 (-82.94%)
Mutual labels:  owasp, appsec
nodejssecurity
Documentation for Essential Node.js Security
Stars: ✭ 64 (-90.5%)
Mutual labels:  owasp, appsec
bWAPP
bWAPP latest modified for PHP7
Stars: ✭ 30 (-95.55%)
Mutual labels:  owasp, owasp-top-10
www-project-vulnerable-web-applications-directory
The OWASP Vulnerable Web Applications Directory (VWAD) Project - OWASP Web Site
Stars: ✭ 10 (-98.52%)
Mutual labels:  owasp, appsec
Blackwidow
A Python based web application scanner to gather OSINT and fuzz for OWASP vulnerabilities on a target website.
Stars: ✭ 887 (+31.6%)
Mutual labels:  owasp, bugbounty
Zaproxy
The OWASP ZAP core project
Stars: ✭ 9,078 (+1246.88%)
Mutual labels:  owasp, appsec
View All Similar Projects ➔

vAPI Tweet

Docker Build Status License: GPL v3 Version PHP Laravel Issues

vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios in the means of Exercises.

Requirements

  • PHP
  • MySQL
  • PostMan
  • MITM Proxy

Installation (Docker)

docker-compose up -d

Installation (Manual)

Copying the Code

cd <your-hosting-directory>
git clone https://github.com/roottusk/vapi.git

Setting up the Database

Import vapi.sql into MySQL Database

Configure the DB Credentials in the vapi/.env

Starting MySQL service

Run following command (Linux)

service mysqld start

Starting Laravel Server

Go to vapi directory and Run

php artisan serve

Setting Up Postman

  • Import vAPI.postman_collection.json in Postman
  • Import vAPI_ENV.postman_environment.json in Postman

OR

Use Public Workspace

https://www.postman.com/roottusk/workspace/vapi/

Usage

Browse http://localhost/vapi/ for Documentation

After Sending requests, refer to the Postman Tests or Environment for Generated Tokens

Deployment

Helm can be used to deploy to a Kubernetes namespace. The chart is in the vapi-chart folder. The chart requires one secret named vapi with the following values:

DB_PASSWORD: <database password to use>
DB_USERNAME: <database username to use>

Sample Helm Install Command: helm upgrade --install vapi ./vapi-chart --values=./vapi-chart/values.yaml

*** Important ***

The MYSQL_ROOT_PASSWORD on line 232 in the values.yaml must match that on line 184 in order to work.

Presented At

OWASP 20th Anniversary

Blackhat Europe 2021 Arsenal

HITB Cyberweek 2021, Abu Dhabi, UAE

@Hack, Riyadh, KSA

Upcoming

APISecure.co

Mentions and References

[1] https://apisecurity.io/issue-132-experian-api-leak-breaches-digitalocean-geico-burp-plugins-vapi-lab/

[2] https://dsopas.github.io/MindAPI/references/

[3] https://dzone.com/articles/api-security-weekly-issue-132

[4] https://owasp.org/www-project-vulnerable-web-applications-directory/

[5] https://github.com/arainho/awesome-api-security

[6] https://portswigger.net/daily-swig/introducing-vapi-an-open-source-lab-environment-to-learn-about-api-security

[7] https://apisecurity.io/issue-169-insecure-api-wordpress-plugin-tesla-3rd-party-vulnerability-introducing-vapi/

Walkthroughs/Writeups/Videos

[1] https://cyc0rpion.medium.com/exploiting-owasp-top-10-api-vulnerabilities-fb9d4b1dd471 (vAPI 1.0 Writeup)

[2] https://www.youtube.com/watch?v=0F5opL_c5-4&list=PLT1Gj1RmR7vqHK60qS5bpNUeivz4yhmbS (Turkish Language) (vAPI 1.1 Walkthrough)

[3] https://medium.com/@jyotiagarwal3190/roottusk-vapi-writeup-341ec99879c (vAPI 1.1 Writeup)

Acknowledgements

  • The icon and banner uses image from Flaticon
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].