Now Reading
Introducing vAPI, an open-source environment for API security education

Introducing vAPI, an open-source environment for API security education

Introducing vAPI - an open source lab environment to learn about API security

Platform educates security professionals about the challenges of protecting modern web APIs

Introducing vAPI - an open source lab environment to learn about API security

Open source software has been released that mimics the OWASP API Top 10 vulnerabilities and allows their behavior to be observed.

vAPI, also known by the Vulnerable Adversely Programmed Interface (VAPI), was created to provide a platform for vulnerability testing and to help users understand API security.

Find out more about the latest hacking tools

In recent years, API security has been a crucial area of security. APIs are used extensively to manage services and data transfer. One broken endpoint can cause data breaches and compromise of an enterprise network.

Gartner predictedAPI attacks will be the most prevalent attack vector for enterprise web apps in this year.

Vulnerable APIs

Developed by Tushar KulkarniHolm Security security engineer, vAPI is an open-source PHP-based interface that is available to him. On GitHubIt can be used as a self-hosted PHP, MySQL, or PostMan API, or as a Docker Image.

Kulkarni introduced the platform to Black Hat Europe 2021 Arsenal. He said that vAPI could prove useful for new penetration testers in acclimatizing to how different API bugs were categorized. Developers can also use the platform to see examples and to consider mitigation.

RELATEDOWASP reveals the top ten security threats facing the API ecosystem

The platforms technology stack is built on the Laravel PHP framework, MySQL and MySQL. Postman collection and Environment are used for API calls storage. However, this will eventually be replaced by an OpenAPI.

For testing, a manipulator-in-the-middle (MitM) proxy, such as Burp Suite or ZAP, can be used, although this is not considered strictly necessary by the developer.

Some API vulnerabilities, [such as]Credential stuffing can require you to run as an intrusion or a ZAPScript to solve the challenge. Kulkarni noted that these tools are useful.


As API security became more important, the Open Web Application Security Project foundation created the first OWASP API Security Top 10 listing. This lists documents the most common API security incidents and events.

vAPI is based upon the API categorizations in the OWASP API Security Top 10

OWASPs 2019 listThese causes are documented:

  • API1:2019Broken Object Level Authorization: Endpoints that handle object identifications are exposed
  • API2:2019Broken User Authentication: Inability to properly manage authentication
  • API3:2019Excessive Data Exposure: This includes object property exposures
  • API4:2019Rate Limiting and Failure to Resources: No restrictions placed on the size or number of resources. This could potentially degrade performance and allow for brute force attacks.
  • API5:2019Broken Function Level Authorization: Poor Management of Access Controls
  • API6:2019Mass Assignment: Filter failures that allow malicious object modification
  • API7:2019Security Misconfiguration: Errors, default configurations, and permissive cross origin resource sharing
  • API8:2019Injection: SQL, NoSQL and command injection flaws
  • API9:2019Improper Asset Management
  • API10:2019Insufficient monitoring and logging

The platform is now publicly available and free to all. Kulkarni envisions the vAPI roadmap as a dashboard that tracks user progress through the API challenges. In the long-term, Kulkarni wants the platform to be an open source playground for users who want to submit their own API security challenges or scenarios.

YOU MAY ALSO LIKEOWASP celebrates 20th Anniversary with a revised Top 10 list for 2021

View Comments (0)

Leave a Reply

Your email address will not be published.