I decided to use FastAPI for two reasons: 1) it is made for Python; and 2) the syntax and its structure is easy for people who are not very development-savvy to understand. I, myself, am not a developer and still struggle with some software engineering concepts (you will see how terribly written this project is). Writing this API has helped me a lot and I would encourage anyone working with application security to develop a similar project.
The flaws in this API include, but are not limited to:
- Broken Access Control
- Insecure CORS
- Information Disclosure
- SQL Injection
- Hidden Functionality (Backdoor)
- OS Command Injection
- Hardcoded Secrets
- Security Misconfiguration
The easiest way to run vBankAPI is by using Docker. You can execute the following commands:
git clone https://github.com/julio-cfa/vBankAPI.git
cd vBankAPI
docker build -t vbank-api .
docker run -d -p 8000:8000 vbank-apiIf you want to run it without Docker, it is also possible:
git clone https://github.com/julio-cfa/vBankAPI.git
cd vBankAPI
pip3 install -r requirements.txt
uvicorn main:app --reloadEither way you will be able to access the API over http://127.0.0.1:8000. However, I would recommend adding an entry to your /etc/hosts:
sudo echo "127.0.0.1 vbank.api" >> /etc/hostsAfter that, you will be able to access the API over http://vbank.api:8000.
The way this project was designed, this API should be tested with a white-box approach. You should run a SAST, perform a manual code review, and also do a penetration test. There are vulnerabilities that can only be detected by inspecting the code.
The API code is simple enough so that people with not a lot of programming and/or code review experience can go through the code and find such vulnerabilities.
At http://127.0.0.1:8000/docs you will find Swagger documentation that you can leverage for your tests.