Airzero Sec

We Do Not Give Up ! Trust US !

Introducing vAPI – An Open-Source Lab Environment to Learn About API Security

- Posted in Ethical Hacking by

A tool for simulating OWASP API Top 10 vulnerabilities and observing their behavior has been released to the open-source community.

The vAPI, or 'Vulnerable Adversely Programmed Interface,' is a vulnerability exercise and test platform designed to help users learn about API security.

API security has emerged as a critical area of concern in recent years. APIs are now widely used to manage services and data transfers, and a single broken endpoint can result in data breaches or enterprise network compromises.

According to Gartner, API attacks will become the most common attack vector for enterprise web applications this year.

Vulnerable APIs

vAPI is an open-source PHP-based interface developed by Tushar Kulkarni, a security engineer at Holm Security, and is available on GitHub. It can be used as a self-hosted API via PHP, MySQL, and PostMan, or as a Docker image. Kulkarni stated during the platform's introduction at Black Hat Europe 2021 Arsenal that vAPI could be useful to new penetration testers in acclimating them to how different API bugs are classified, as well as for developers, as the platform allows them to see examples of vulnerable code – as well as consider potential mitigations.

The Laravel PHP framework and MySQL are at the heart of the platform's technology stack. Although Postman collection and Environment are used to store API calls, this will eventually change due to migration to an OpenAPI. A manipulator-in-the-middle (MitM) proxy, such as Burp Suite or ZAP, can be used for testing, though the developer does not consider it strictly necessary. "Some API vulnerabilities, such as credential stuffing, may require you to run as an intruder or a ZAP script to solve the challenge," Kulkarni explained.


In 2019, the Open Web Application Security Project (OWASP) Foundation published its first API Security Top 10 list, which documents the most common API-related causes of security incidents, reflecting the growing importance of API security.

vAPI is currently based on the API categorizations found in the OWASP API Security Top 10.

The following causes are documented in OWASP's 2019 list:

  • API1:2019 Faulty Object Level Authorization: exposed endpoints handling object identifiers
  • API2:2019 Faulty User Authentication: failures to manage authentication correctly
  • API3:2019 Excessive Data Exposure: Object property exposures are included.
  • API4:2019 Lack of Resources and Rate Limiting: There are no limits on resource sizes or numbers, potentially degrading performance and allowing brute-force attacks.
  • API5:2019 Failed Function Level Authorization: Inadequate Access Control Management
  • API6:2019 Mass Assignment: Filter failures that enable malicious object modification
  • API7:2019 Security Misconfiguration: Default configurations, errors, and cross-origin resource sharing permissive
  • Injection flaws in API8:2019 include SQL, NoSQL, and command injection flaws.
  • API9:2019 Inadequate Asset Management
  • API10:2019: Inadequate Logging and Monitoring

The platform is now open to the public and free to use. The vAPI roadmap includes the development of a dashboard to track user progress through the API challenges, and Kulkarni hopes that in the long run, the platform will become an "open-source playground" for users to submit their own API security challenges and scenarios. If you have any doubts about the aforementioned topic, please contact us. Please do not hesitate to get in touch with us. Your digital partner will be Airzero sec.

Email:[email protected]

enter image description here Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: