Platform aims to educate security professionals on the challenges of securing modern web APIs

Introducing vAPI - an open source lab environment to learn about API security

A tool designed to mimic OWASP API Top 10 vulnerabilities and to allow their behavior to be observed has been released to the open source community.

vAPI, also known as the ‘Vulnerable Adversely Programmed Interface’, is a vulnerability exercise and test platform designed to help users learn about API security.

Read more about the latest hacking tools

API security has become a critical area of security in recent years. APIs are now widely used to manage services and data transfers, and it only takes one broken endpoint to cause data breaches or enterprise network compromises.

Gartner has predicted that this year, API attacks will become the most common attack vector for enterprise web applications.

Vulnerable APIs

Developed by Tushar Kulkarni, a security engineer at Holm Security, vAPI is an open source PHP-based interface, available on GitHub, which can be operated as a self-hosted API through PHP, MySQL, and PostMan, or run as a Docker image.

While introducing the platform at Black Hat Europe 2021 Arsenal, Kulkarni said that vAPI could be useful to new penetration testers in acclimatizing them to how different API bugs are categorized, and for developers, as the platform allows them to see examples of vulnerable code – as well as consider potential mitigations.

RELATED OWASP reveals top 10 security threats facing API ecosystem

The platform’s technology stack is based on the Laravel PHP framework and MySQL. Postman collection and Environment are used to store API calls, although this is eventually due to migrate to an OpenAPI.

For testing, a manipulator-in-the-middle (MitM) proxy, such as Burp Suite or ZAP, can be used, although this is not considered strictly necessary by the developer.

“Some API vulnerabilities, [such as] credential stuffing, may require you to run as an intruder or a ZAP script to solve the challenge, hence these tools can be useful,” Kulkarni noted.


Reflecting the rising importance of API security, the Open Web Application Security Project (OWASP) foundation developed its first API Security Top 10 list, which documents the most common API-related causes for security incidents, in 2019.

As of now, vAPI is based on the API categorizations used in the OWASP API Security Top 10.

OWASP’s 2019 list documents the following causes:

  • API1:2019 Broken Object Level Authorization: exposed endpoints that handle object identifiers
  • API2:2019 Broken User Authentication: Failures to manage authentication correctly
  • API3:2019 Excessive Data Exposure: Includes object property exposures
  • API4:2019 Lack of Resources and Rate Limiting: No limits placed on resource sizes or numbers, potentially degrading performance and opening the way for brute-force attacks
  • API5:2019 Broken Function Level Authorization: Poor management of access controls
  • API6:2019 Mass Assignment: Filter failures, allowing malicious object modification
  • API7:2019 Security Misconfiguration: Default configurations, errors, and permissive cross-origin resource sharing
  • API8:2019 Injection: Including SQL, NoSQL, and command injection flaws
  • API9:2019 Improper Assets Management
  • API10:2019 Insufficient Logging and Monitoring

The platform is now public and freely available. The vAPI roadmap includes the creation of a dashboard to monitor user progress through the API challenges, and over the long term, Kulkarni would like to see the platform become an “open source playground” for users to submit their own API security challenges and scenarios.

YOU MIGHT ALSO LIKE OWASP toasts 20th anniversary with revised Top 10 for 2021