Skip to content

danielserbu/VAmPISecurityTests

Repository files navigation

VAmPISecurityTests

VAmPISecurityTests with python and pytest

Description:

PyTest program to test VAmPI https://github.com/erev0s/VAmPI vulnerable REST API with OWASP top 10 vulnerabilities

This is still in development and will be updated with time.

Currently tests for:

  1. SQL Injection https://erev0s.com/blog/vampi-vulnerable-api-security-testing/#sql-injection
  2. Unauthorized password change https://erev0s.com/blog/vampi-vulnerable-api-security-testing/#unauthorized-password-change
  3. Mass Assignment https://erev0s.com/blog/vampi-vulnerable-api-security-testing/#mass-assignment
  4. Excessive data exposure https://erev0s.com/blog/vampi-vulnerable-api-security-testing/#excessive-data-exposure
  5. User and Password Enumeration https://erev0s.com/blog/vampi-vulnerable-api-security-testing/#user-and-password-enumeration
  6. Rate Limiting https://erev0s.com/blog/vampi-vulnerable-api-security-testing/#lack-of-resources-amp-rate-limiting

Currently undone tests:

  1. RegexDOS (Denial of service) https://erev0s.com/blog/vampi-vulnerable-api-security-testing/#regexdos-denial-of-service
  2. Broken Object Level Authorization https://erev0s.com/blog/vampi-vulnerable-api-security-testing/#broken-object-level-authorization

Prerequisites

  1. pip3 install -U pytest
  2. Clone VAmPI
  3. Do run inside the VAmPI folder "docker build -t vampi_docker:latest ." as per instructions
  4. Do run inside the VAmPI folder "docker compose up -d"
  5. This will start VAmPI on port 5002 as vulnerable and on port 5001 as secure.
  6. Now do change port variable from inside test_VAmPISecurityTests.py file as wished in order to experiment.

Run with: "pytest test_VAmPISecurityTests.py --verbose -s"

Demo Vulnerable Gif

Notes: It is normal for all tests to fail.

Demo Secure Gif

Notes: Rate limiting and excessive data exposure seem not to be secure in this case also.

Releases

No releases published

Packages

No packages published

Languages