The open source community has received a tool that mimics the OWASP API Top 10 vulnerabilities and allows their behaviour to be watched. The vAPI vulnerability exercise and test platform, also known as the ‘Vulnerable Adversely Programmed Interface,’ is aimed to help users learn about API security.
In recent years, API security has become a key topic of concern. APIs are increasingly widely utilised to handle services and data transfers, and a single faulty endpoint can result in data breaches or network intrusions in a business.
API attacks are expected to become the most common attack vector for enterprise online applications this year, according to Gartner.
vAPI is an open source PHP-based interface developed by Tushar Kulkarni, a security engineer at Holm Security, that may be used as a self-hosted API using PHP, MySQL, and PostMan, or run as a Docker image.
Kulkarni said that vAPI could be useful to new penetration testers in acclimating them to how different API bugs are classified, as well as developers, because the platform allows them to see examples of vulnerable code – and consider potential mitigations – while introducing the platform at Black Hat Europe 2021 Arsenal.
Based on the Laravel PHP framework and MySQL, the platform uses technology from Laravel. A Postman collection and Environment are used to store API calls, although this is eventually going to be migrated to an OpenAPI.
A manipulator-in-the-middle (MitM) proxy, such as Burp Suite or ZAP, can be used for testing, though the developer does not consider it technically necessary.
“Some API vulnerabilities, such as credential stuffing,” Kulkarni explained, “may require you to execute as an intruder or a ZAP script to answer the problem, thus these tools can be handy.”