vampi-vulnerable-api-lab

How to do API Pentesting using ZAP and Postman

Hi everyone, nowadays API using everywhere whether it is REST or Graphql. It has its own OWASP API top 10. So in this post we are going to focus on api pentesting
Some platforms use raw API which can use tools like postman and another one is the integrated one.

What is VamPI?

VAmPI is a vulnerable API made with Flask and it includes vulnerabilities from the OWASP top 10 vulnerabilities for APIs. It includes a switch on/off to allow the API to be vulnerable or not while testing. It’s based on OWASP top 10 API vulnerabilities and has a collection, which can use in postman. let’s see how to install it.

git clone https://github.com/erev0s/VAmPI.git
clone-vampi-api-pentesting-lab
cd VAmPI
sudo pip3 install -r requirements.txt
install-vampi-requirements
python3 app.py
run-vampi

Check IP of the system and check-in browser along with port number 5000.

vampi-openapi

As we know API doesn’t have any interface, lots of people have questioned how we are going to test this. The solution is very simple can create request collection in postman and then use proxy in postman along with OWASP ZAP or BurpSute to test it.

In VAmPI, they already provide collection. What we need to do? Simply import collection located in openapi_specs location of VAmPI folder. Replace URL and save the file with the .json extension or use url variable.

Send request from postman and start testing, follow the youtube videos given below to install VAmPI and solve owasp api top 10 challenges.

Use MindAPI, an awesome checklist, or can say mindmap for API pentesting https://github.com/dsopas/MindAPI

OWASP API TOP 10 2019 – https://owasp.org/API-Security/editions/2019/en/0x11-t10/

OWASP API TOP 10 2023 – https://apisecurity.io/owasp-api-security-top-10/

Hope this post will help to perform security testing for API, do share with your co-workers and friends. Please let me know if there are any suggestions or do comments with your valuable feedback.Now you can also collab with us please check our collaboration page, thank you!