Signup/Sign In
APRIL 1, 2023

Setting up Vulnerable REST API Penetration Testing Lab

    VAmPI is a vulnerable API created with Flask (Python ) to demonstrate the top 10 vulnerabilities in APIs as outlined by OWASP Top 10 vulnerabilities. It allows you to test and evaluate the efficiency of security tools and can also be used for learning, testing skills and teaching purposes. The API includes an on/off switch to allow you to test in both a vulnerable and secure environment, reducing the risk of false positives and negatives. This article will guide you on how to set up a VAmPI virtual home-lab with and without Docker.

    Setup VAmPI on any operating system

    Before you can run VAmPI, you must install git and Python 3.6 or higher version. To verify Python and git installation, open a terminal and run the following command:

    git -v
    python --version

    Clone the github repository, using the following command:

    git clone https://github.com/erev0s/VAmPI.git && cd VAmPI

    Install required python libraries by using pip (Python package manager) as follows:

    pip3 install -r requirements

    Once the requirements have been installed, you can run the VAmPI application by running the following command:

    python app.py
     * Serving Flask app 'config'
     * Debug mode: on
    WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
     * Running on all addresses (0.0.0.0)
     * Running on http://127.0.0.1:5000
     * Running on http://172.17.0.4:5000
    Press CTRL+C to quit
     * Restarting with stat
     * Debugger is active!
     * Debugger PIN: 212-297-141
    

    You can now access the vulnerable API at the given address and port.

    Running VAmPI through Docker hub images

    VAmPI can also be run through Docker. You can either pull the VAmPI Docker image from Dockerhub or build it yourself. To build the image, run the following command:

    Make sure that you have already installed Docker in your system and it is accessible by the user you have logged in as. Also, port 5000 is not currently used by any other program.
    docker build -t vampi_docker:latest .

    Once the image has been built, you can run it by using the following command:

    docker run -d -p 5000:5000 vampi_docker:latest
    Docker Compose can also be used to run VAmPI. Docker Compose contains two instances, one instance with a secure configuration on port 5001 and another with an insecure configuration on port 5002. To run VAmPI through Docker Compose, run the following command:
    docker-compose up -d

    Customizing Token Timeout and Vulnerable Environment

    You can customize the token timeout and vulnerable environment by altering the alive and vuln variables defined in the app.py file. The alive variable is measured in seconds, so if you set it to 100, the token will expire after 100 seconds. The vuln variable is a boolean, where 1 means the application is vulnerable and 0 means the application is not vulnerable.

    If you are running VAmPI through Docker, you can pass environment variables to the docker run command or edit the Dockerfile and rebuild the image. The following is an example of how to pass environment variables to the docker run command:

    docker run -d -e vulnerable=0 -e tokentimetolive=300 -p 5000:5000 vampi_docker:latest

    This allows you to start a second container with vulnerable=1 on a different port and easily switch between the two.

    In the Dockerfile, you will find two environment variables being set, ENV vulnerable=1 and ENV tokentimetolive=30. You can edit these variables and rebuild the image to customize the token timeout and vulnerable environment.

    Conclusion

    Setting up a VAmPI home-lab is an excellent way to learn and practice API security. VAmPI is a vulnerable API created using Flask that includes vulnerabilities from the OWASP top 10 vulnerabilities for APIs, making it a great tool for evaluating the efficiency of security tools used to detect issues in APIs. The application can be run using python3 app.py, Docker, or Docker Compose, and can be customized by altering the timeout of the token created after login or by changing the environment to be vulnerable or not. This allows users to tailor their learning experience to their specific needs and goals.

    Pradeep has expertise in Linux, Go, Nginx, Apache, CyberSecurity, AppSec and various other technical areas. He has contributed to numerous publications and websites, providing his readers with insightful and informative content.
    IF YOU LIKE IT, THEN SHARE IT
    Advertisement

    RELATED POSTS