erev0s / vampi Goto Github PK
View Code? Open in Web Editor NEWVulnerable REST API with OWASP top 10 vulnerabilities for security testing
License: MIT License
Vulnerable REST API with OWASP top 10 vulnerabilities for security testing
License: MIT License
Hello,
some operations in the OpenAPI specification does not provide a response schema, e.g., in the GET /users/v1
operation the response schema for the 200
status code is empty ({}
), but it should be an array of user objects.
Could you please update the specification with the response schemas?
First of all, man, your work is awesome!
I'm using it to teach my students how to make web more secured.
I want to advise some ides, what can be used in continuation of your fantastic project:
What about adding some kind of RCE and docker container hardening?
For example, your awesome app can started as container inside VM in 4 variants:
According to this:
https://github.com/OWASP/Docker-Security
https://github.com/OWASP/Docker-Security/blob/main/dist/owasp-docker-security.pdf
https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html
The usename parameter requires a string type value, but when characters containing special characters are passed in, a response with a 500 response code is received
/user/v1/{username}
GET
How to get bearer token
Hello,
Firstly, thank you for this very pleasant project!
I've encountered an ambiguity multiple times during my tests on the /users/v1/register endpoint. When using the image from Docker Hub, I don't get the same result when attempting to promote myself to admin on the API. Specifically, I am unable to perform this privilege escalation from the container linked to the image on Docker Hub, but only through the one I manually build via the project's Dockerfile.
Here are the data I'm sending to the API:
jsonCopy code
{ "username": "test2", "password": "test", "email": "[email protected]", "admin": "True" }
I want to mention that I also tested with "admin": true.
Here are my tests in more detail with Postman:
Test using the project's Dockerfile
Test using the image stored on Docker Hub
Is this an issue with the image not being updated on Docker Hub? (Last release: 4 months ago: Docker Hub Link)
I am available if you need more information.
Best regards,
Archidote
Hello,
the admin parameter of the user is store as boolean in the system, but in register_user is it treated like a string. Typically, mass assignment vulnerabilities are present because a REST API framework directly maps an HTTP parameter to an attribute in the system. To make the example closer to reality, try to mimic this behavior by accepting a boolean parameter rather than a string.
Following the default requirements.txt causes error when run the docker image
Traceback (most recent call last):
File "app.py", line 1, in <module>
from config import vuln_app
File "/vampi/config.py", line 2, in <module>
import connexion
File "/usr/local/lib/python3.7/site-packages/connexion/__init__.py", line 5, in <module>
from .apis import AbstractAPI # NOQA
File "/usr/local/lib/python3.7/site-packages/connexion/apis/__init__.py", line 1, in <module>
from .abstract import AbstractAPI # NOQA
File "/usr/local/lib/python3.7/site-packages/connexion/apis/abstract.py", line 16, in <module>
from ..spec import Specification
File "/usr/local/lib/python3.7/site-packages/connexion/spec.py", line 5, in <module>
import jinja2
File "/usr/local/lib/python3.7/site-packages/jinja2/__init__.py", line 12, in <module>
from .environment import Environment
File "/usr/local/lib/python3.7/site-packages/jinja2/environment.py", line 25, in <module>
from .defaults import BLOCK_END_STRING
File "/usr/local/lib/python3.7/site-packages/jinja2/defaults.py", line 3, in <module>
from .filters import FILTERS as DEFAULT_FILTERS # noqa: F401
File "/usr/local/lib/python3.7/site-packages/jinja2/filters.py", line 13, in <module>
from markupsafe import soft_unicode
ImportError: cannot import name 'soft_unicode' from 'markupsafe' (/usr/local/lib/python3.7/site-packages/markupsafe/__init__.py)
Add version requirements on markupsafe==2.0.2
package solves the issue, but I haven't checked if the docker can function normally.
The get_user method in the models/user_model.py
return the _ repr _ format when vulnerable=0
.
$ curl "http://localhost:5000/users/v1/name1"
<User(name=name1, [email protected])>
This not happen when the vulnerable environment is True, because in that scenario the response is a formatted string, meanwhile in this one it returns the first user object found:
78 else:
79 fin_query = User.query.filter_by(username=username).first()
We can take advance of the json class method to return the user data:
else:
user = User.query.filter_by(username=username).first()
fin_query = user.json() if user else None
return fin_query
Note: Calling .json() of a NoneType object could raise an error, so we must check if exists first.
But the .json() class method encloses the value in single quotes. That's not the standard json syntax we are looking for. A better solution could be like this:
else:
user = User.query.filter_by(username=username).first()
fin_query = str(User.json(user)).replace("'",'"') if user else None
return fin_query
$ curl "http://localhost:5000/users/v1/name1" # not vuln
{"username": "name1", "email": "[email protected]"}
$ curl "http://localhost:5001/users/v1/name1" # vuln
{"username": "name1", "email": "[email protected]"}
Api is responsing with only one object, not a list.
Love this project! Thank you.
Opening an issue to use w/ a PR I'm about to submit.
To make it even easier and more powerful to use as a teaching tool, it is handy to run one instance of VAmPI securely (vulnerable=0) and another insecure instance running in parallel on a different port (vulnerable=1). Your use of ENV within the Dockerfile makes this dead simple and adjustments to the README are all that is needed.
Also ran into a conflict w/ port 5000 on Mac OSX, so put in a note about two ways to resolve that.
Linux version: Ubuntu 22.04.1
Summary: flask-sqlalchemy version when installing requirements.txt is incompatible and raises error shown below:
AttributeError: module 'sqlalchemy' has no attribute 'all'. Did you mean: 'file'?
Following updated requirements.txt solves this error:
connexion~=2.7.0
flask~=2.2
flask-sqlalchemy>=3.0.2
jsonschema~=3.2.0
sqlalchemy
swagger-ui-bundle
PyJWT~=1.7.1
markupsafe==2.1.1
Hi,
I have seen your readme but i feel we should have some ref table showing which exploit top 10 category is present in which endpoint. Because i mapped one specific endpoint to available vulnerabilities but then same vulnerability my colleague mapped to another and we don't have any clarity which one is a valid endpoint to test those vulnerabilities.
Also having proper solution will be great. Let me know if need any help !
Thanks,
Janibasha
Hi,
I can see doc says this demo app supports multiple attacks but i don't see attack payloads. So can you please share them so i can also test these attacks.
Thanks,
Jani
Hello!
Is there API endpoint like http://127.0.0.1:5000/v3/api-docs for get API definition document?
It will be suitable for OWASP ZAP test automation with your instance for example.
Thank you!
I'm running a relatively stock, updated Ubuntu 20.04 box and I'm hitting a docker build issue. One of the python dependencies pulls in a package called greenlet
, which is compiling against the python development headers and using the g++ compile.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.