vAPI - Vulnerable Adversely Programmed Interface Which Is Self-Hostable API That Mimics OWASP API Top 10 Scenarios Through Exercises

vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios in the means of Exercises.


  • PHP
  • MySQL
  • PostMan
  • MITM Proxy

Installation (Docker)

docker-compose up -d

Installation (Manual)

Copying the Code

cd <your-hosting-directory>
git clone https://github.com/roottusk/vapi.git

Setting up the Database

Import vapi.sql into MySQL Database

Configure the DB Credentials in the vapi/.env

Starting MySQL service

Run following command (Linux)

service mysqld start

Starting Laravel Server

Go to vapi directory and Run

php artisan serve

Setting Up Postman

  • Import vAPI.postman_collection.json in Postman
  • Import vAPI_ENV.postman_environment.json in Postman


Use Public Workspace



Browse http://localhost/vapi/ for Documentation

After Sending requests, refer to the Postman Tests or Environment for Generated Tokens


Helm can be used to deploy to a Kubernetes namespace. The chart is in the vapi-chart folder. The chart requires one secret named vapi with the following values:

username to use>">
DB_PASSWORD: <database password to use>DB_USERNAME: <database username to use>

Sample Helm Install Command: helm upgrade --install vapi ./vapi-chart --values=./vapi-chart/values.yaml

*** Important ***

The MYSQL_ROOT_PASSWORD on line 232 in the values.yaml must match that on line 184 in order to work.

Presented At

OWASP 20th Anniversary

Blackhat Europe 2021 Arsenal

HITB Cyberweek 2021, Abu Dhabi, UAE

@Hack, Riyadh, KSA



Mentions and References

[1] https://apisecurity.io/issue-132-experian-api-leak-breaches-digitalocean-geico-burp-plugins-vapi-lab/

[2] https://dsopas.github.io/MindAPI/references/

[3] https://dzone.com/articles/api-security-weekly-issue-132

[4] https://owasp.org/www-project-vulnerable-web-applications-directory/

[5] https://github.com/arainho/awesome-api-security

[6] https://portswigger.net/daily-swig/introducing-vapi-an-open-source-lab-environment-to-learn-about-api-security

[7] https://apisecurity.io/issue-169-insecure-api-wordpress-plugin-tesla-3rd-party-vulnerability-introducing-vapi/


[1] https://cyc0rpion.medium.com/exploiting-owasp-top-10-api-vulnerabilities-fb9d4b1dd471 (vAPI 1.0 Writeup)

[2] https://www.youtube.com/watch?v=0F5opL_c5-4&list=PLT1Gj1RmR7vqHK60qS5bpNUeivz4yhmbS (Turkish Language) (vAPI 1.1 Walkthrough)

[3] https://medium.com/@jyotiagarwal3190/roottusk-vapi-writeup-341ec99879c (vAPI 1.1 Writeup)


  • The icon and banner uses image from Flaticon

Disqus Comments