VulnAPI Training on VAmPI (Vulnerable REST API)
VulnAPI is a powerful tool that allows you to scan REST APIs for vulnerabilities and security risks. This training module will guide you through the process of using VulnAPI to scan your APIs for vulnerabilities and security risks.
VAmPI is a vulnerable REST API with OWASP Top 10 vulnerabilities. You can use VAmPI to practice scanning REST APIs for vulnerabilities and security risks using VulnAPI.
Prerequisites
Section titled “Prerequisites”Before you begin this training module, you need to have the following prerequisites:
Training Objectives
Section titled “Training Objectives”By the end of this training module, you will be able to:
- Scan a REST API for vulnerabilities and security risks using VulnAPI.
- Identify and remediate vulnerabilities and security risks in a REST API.
Training Steps
Section titled “Training Steps”Follow the steps below to complete this training module:
-
Start the VAmPI server by running the following command:
Terminal window docker run -e vulnerable=1 -p 5000:5000 erev0s/vampi -
Open a new terminal window and run the following command to make a discovery scan of the VAmPI API using VulnAPI:
Terminal window vulnapi scan discover http://localhost:5000 -
Review the scan results to identify OpenAPI Contract and additionnal service informations.
-
Download the OpenAPI Contract and save it to a file named
vampi-openapi.json. Edit the file, add a base url to the server and security scheme.The security should be added for the endpoint
PUT /users/v1/{username}/email,PUT /users/v1/{username}/passwordandDELETE /users/v1/{username}with thebearerAuthsecurity scheme.{"components": {"securitySchemes": {"bearerAuth": {"bearerFormat": "JWT","scheme": "bearer","type": "http"}}},"info": {"description": "OpenAPI v3 specs for VAmPI","title": "VAmPI","version": "0.1"},"openapi": "3.0.1","paths": {"/users/v1/{username}/email": {"put": {"description": "Update a single users email","operationId": "api_views.users.update_email","security": [{"bearerAuth": []}],..."servers": [{"url": "http://localhost:5000"}]} -
Run the following command to scan the VAmPI API using the OpenAPI Contract:
Terminal window vulnapi scan openapi vampi-openapi.json -
Review the scan results to identify vulnerabilities and security risks in the VAmPI API.