Introducing vAPI – an open source lab environment to learn about API security

4 months ago 29

Charlie Osborne 17 January 2022 at 11:55 UTC

Platform aims to educate security professionals on the challenges of securing modern web APIs

Introducing vAPI - an open source lab environment to learn about API security

A tool designed to mimic OWASP API Top 10 vulnerabilities and to allow their behavior to be observed has been released to the open source community.

vAPI, also known as the ‘Vulnerable Adversely Programmed Interface’, has been developed to be a vulnerability exercise and test platform to help users learn about API security.

Read more about the latest hacking tools

API security has become a critical area of security in recent years. APIs are now widely used to manage services and data transfers, and it only takes one broken endpoint to cause data breaches or enterprise network compromise.

Gartner has predicted that this year, API attacks will become the most common attack vector for enterprise web applications.

Vulnerable APIs

Developed by Tushar Kulkarni, a security engineer at Holm Security, vAPI is an open source PHP-based interface, available on GitHub, which can be operated as a self-hosted API through PHP, MySQL, and PostMan, or run as a Docker image.

While introducing the platform at Black Hat Europe 2021 Arsenal, Kulkarni said that vAPI could be useful to new penetration testers in acclimatizing them to how different API bugs are categorized, and for developers, the platform allows them to see examples of vulnerable code – as well as consider ways of mitigation.

RELATED OWASP reveals top 10 security threats facing API ecosystem

The platform’s technology stack is based on the Laravel PHP framework and MySQL. Postman collection and Environment are used to store API calls, although this is eventually due to migrate to an OpenAPI.

For testing, a manipulator-in-the-middle (MitM) proxy, such as Burp Suite or ZAP, can be used, although this is not considered strictly necessary by the developer.

“Some API vulnerabilities, [such as] credential stuffing, may require you to run as an intruder or a ZAP script to solve the challenge, hence these tools can be useful,” Kulkarni noted.


As API security rose in importance, the Open Web Application Security Project (OWASP) foundation developed its first OWASP API Security Top 10 list which documents the most common API-related causes for security incidents and events.

As of now, vAPI is based on the API categorizations used in the OWASP API Security Top 10.

OWASP’s 2019 list documents the following causes:

API1:2019 Broken Object Level Authorization: exposed endpoints that handle object identifiersAPI2:2019 Broken User Authentication: Failures to manage authentication correctlyAPI3:2019 Excessive Data Exposure: Includes object property exposuresAPI4:2019 Lack of Resources and Rate Limiting: No limits placed on resource sizes or numbers, potentially degrading performance and opening the way for brute-force attacksAPI5:2019 Broken Function Level Authorization: Poor management of access controlsAPI6:2019 Mass Assignment: Filter failures, allowing malicious object modificationAPI7:2019 Security Misconfiguration: Default configurations, errors, and permissive cross-origin resource sharingAPI8:2019 Injection: Including SQL, NoSQL, and command injection flawsAPI9:2019 Improper Assets ManagementAPI10:2019 Insufficient Logging and Monitoring

The platform is now public and freely available. The vAPI roadmap includes the creation of a dashboard to monitor user progress through the API challenges, and over the long term, Kulkarni would like to see the platform become an “open source playground” for users to submit their own API security challenges and scenarios.

YOU MIGHT ALSO LIKE OWASP toasts 20th anniversary with revised Top 10 for 2021

Read Entire Article