This repository contains an example Python API that is vulnerable to several different web API attacks.
We will be using docker images and containers to install all the api.
- Download the latest version of docker toolbox
- Go through installation steps
- Start up Kitematic .
- In the search box type
mkam/vulnerable-api-demo
and click create . - On right side you will see an IP:PORT access url .
- Copy it and paste into browser to navigate to the api .
- Jump to Install Burp Proxy
YOU WILL NEED ADMIN RIGHTS TO INSTALL
- Download the latest version of docker toolbox
- Go through installation steps
- Start up Kitematic .
- In the search box type
mkam/vulnerable-api-demo
and click create . - On right side you will see an IP:PORT access url .
- Copy it and paste into browser to navigate to the api .
- Jump to Install Burp Proxy
- Install docker engine and docker client on docker website
- Run
docker run -tid -p 8081:8081 --name api mkam/vulnerable-api-demo
- You can now test your api
curl localhost:8081 -v
- Install java from oracle website if you don't have it already
- Download jar file from burp website
- Run java -jar burpsuite_free_v1.6.32.jar
The example API can be accessed on the system at port 8081.
vAPI is an API written specifically to illustrate common API vulnerabilities.
vAPI is implemented using the Bottle Python Framework and consists of a user database and a token database.
- Request token from /tokens
- Returns an auth token
- Returns expiration date of auth token
- Returns a user id
- Request user record from /user/<user_id>
- Requires the auth token
- Returns the user record for the user specfied, provided the auth token is not expired and is valid for the user id specified
- Each user can only access their own record
Included with install
Username | Password |
---|---|
user{1-9} | pass{1-9} |
admin1 | pass1 |
SYSTEM_IP:8081
Request an Auth Token for a user
- Accept: application/json
- Content-Type: application/json or application/xml
- username (string) - Name of user requesting token
- password (string) – Password of user requesting a token
- token
- expires (string) – The Auth Token expiration date/time
- token - id (string) – Auth Token
- user - id (string) – Unique user ID
- name (string) – Username
- 200 OK - Request completed successfullyi
POST /tokens HTTP/1.1
Accept: application/json
Content-Length: 36
Content-Type: application/json
Host: 192.168.13.37:8081
{"auth":
{"passwordCredentials":
{"username": "USER_NAME",
"password":"PASSWORD"}
}
}
or
POST /tokens HTTP/1.1
Accept: */*
Content-Length: 170
Content-Type: application/xml
Host: 192.168.13.37:8081
<?xml version="1.0" encoding="UTF-8"?>
<auth>
<passwordCredentials>
<username>user1</username>
<password>pass1</password>
</passwordCredentials>
</auth>
HTTP/1.0 200 OK
Date: Tue, 07 Jul 2015 15:34:01 GMT
Server: WSGIServer/0.1 Python/2.7.6
Content-Type: text/html; charset=UTF-8
{
"access":
{
"token":
{
"expires": "Tue Jul 7 15:39:01 2015",
"id": "AUTH_TOKEN"
},
"user":
{
"id": 10,
"name": "USER_NAME"
}
}
}
Retrieve the user's entry in the user database
- Accept: application/json
- Content-Type: application/json
- X-Auth-Token: <TOKEN_ID> (from /tokens POST)
- None
- User
- id (string) – Unique user ID
- name (string) – Username
- password (string) – Password
- 200 OK - Request completed successfully
GET /user/1 HTTP/1.1
Host: 192.168.13.37:8081
X-Auth-Token: AUTH_TOKEN
Content-type: application/json
Accept: text/plain
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 0
HTTP/1.0 200 OK
Date: Mon, 06 Jul 2015 22:08:56 GMT
Server: WSGIServer/0.1 Python/2.7.9
Content-Length: 73
Content-Type: application/json
{
"response":
{
"user":
{
"password": "PASSWORD",
"id": USER_ID,
"name": "USER_NAME"
}
}
}
Creates an user with the given username and password. 2 Conditions:
- User cannot already exist
- Username has to meet strict naming guidlines. The username must be matched by this regular expression:
([a-z]+)*[0-9]
. This means that a username has to start with a lowercase letter and end with numbers. So, usernames that look like "user1" or "abc123" will be accepted, but usernames that look like "USER1" or "1user" will not be accepted.
- X-Auth-Token - Valid token for the admin user
- User
- name (string) – Username that matches above conditions
- password (string) – Password
- response
- user
- username - the name of the succesfully created user
- password - the password of the successfully created user
- 200 OK - Request completed successfullyi
POST /user HTTP/1.1
User-Agent: curl/7.35.0
Host: 127.0.0.1:8081
Accept: */*
x-auth-token: ADMIN TOKEN
Content-type: application/json
Content-Length: 54
{"user":
{"username": "USERNAME",
"password": "PASSWORD"}
}
HTTP/1.0 200 OK
Date: Mon, 06 Jul 2015 22:08:56 GMT
Server: WSGIServer/0.1 Python/2.7.9
Content-Length: 68
Content-Type: application/json
{
"response":
{
"user":
{
"password": "PASSWORD",
"name": "USER_NAME"
}
}
}
Returns the server uptime, and now supports pretty formatting just by passing in command line flags. Super useful for system administrators!
- None
- Response
- Command (string) - The system call you made
- Output (string) - uptime
- 200 OK - Request completed successfully
GET /uptime/s HTTP/1.1
Host: 192.168.13.37:8081
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 0
HTTP/1.0 200 OK
Date: Wed, 17 Feb 2016 22:44:27 GMT
Server: WSGIServer/0.1 Python/2.7.6
Content-Length: 90
Content-Type: text/html; charset=UTF-8
{
"response": {
"Command": "uptime -s",
"Output": "2016-02-17 09:42:44\n"
}
}
Vulnerability Categories Include:
- Transport Layer Security
- User enumeration
- Information exposure through server headers
- Authentication bypass
- User input validation
- SQL injection
- Error handling
- Session management
- Encryption
- AuthN bypass
- Command Injection
- Regex DDoS