Giter Site home page Giter Site logo

api-security / apisandbox Goto Github PK

View Code? Open in Web Editor NEW
375.0 5.0 52.0 150.01 MB

Pre-Built Vulnerable Multiple API Scenarios Environments Based on Docker-Compose.

License: GNU General Public License v3.0

Dockerfile 0.10% Go 1.81% CSS 25.20% JavaScript 18.18% HTML 4.51% PHP 2.48% Shell 0.02% Java 3.86% Python 0.35% FreeMarker 43.49%

apisandbox's Introduction

APISandbox

Pre-Built Vulnerable Multiple API Scenarios Environments Based on Docker-Compose.

介绍

APISandbox是一个包含多个场景的API漏洞靶场。

目前有以下几个API漏洞场景靶场:

  • 4ASystem: 4A认证系统下的API平行越权
  • APIVuln: 生产消费流水线中的API缓存投毒
  • GraphqlNotebook: 一个使用GraphQL的留言板以及经典API漏洞
  • InfoSystem: WSDL泄露API越权进后台Getshell
  • OASystem: SpringBoot微服务架构下的API Gateway配置问题
  • OWASPApiTop10: 使用go作为后端实现解释OWASP API Top 10的漏洞

欢迎小伙伴提交更多API安全实战思路攻略等,社区会帮忙实现成靶场环境~

安装

在Ubuntu 20.04下安装docker/docker-compose:

# 安装pip
curl -s https://bootstrap.pypa.io/get-pip.py | python3

# 安装最新版docker
curl -s https://get.docker.com/ | sh

# 启动docker服务
systemctl start docker

# 安装compose
pip install docker-compose

其他操作系统安装docker和docker-compose可能会有些许不同,请阅读Docker文档进行安装。

使用

# 下载项目
wget https://github.com/API-Security/APISandbox/archive/refs/heads/main.zip -O APISandbox-main.zip
unzip APISandbox-main.zip
cd APISandbox-main

# 进入某一个漏洞/环境的目录
cd OWASPApiTop10

# 自动化编译环境
docker-compose build

# 启动整个环境
docker-compose up -d

每个环境目录下都有相应的说明文件,请阅读该文件,进行漏洞/环境测试。

测试完成后,删除整个环境

docker-compose down -v

本项目中所有环境仅用于测试,不可作为生产环境使用!

注意事项

  1. 为防止出现权限错误,最好使用root用户执行docker和docker-compose命令
  2. docker部分镜像不支持在ARM等架构的机器上运行

项目地址

Author: yulige,rmb122,wh1sper,Leonsec,h0ld1rs,Reclu3e

https://github.com/API-Security/APISandbox API Security是一个分享一切和API安全相关的工具、漏洞环境、书籍、技术文章、新闻资讯、最佳实践白皮书等资料的社区。

API Security知识星球永久免费,欢迎对API安全感兴趣的信息安全爱好者一起学习交流。

BUG、需求、PR都非常欢迎社区的小伙伴们提交。同时有疑问和意见也可以提出,我们虚心采纳。 有更多想法可以加微信yuligesec聊聊~

apisandbox's People

Contributors

anthem-whisper avatar le0nsec avatar t43wiu6 avatar yuligesec avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

webvul nixiteam yuligesec harry1080 prettyrecon 1amfine2333 h3ll0w0lrd transferhhh pa55w0rd cream-sec xiumulty h0ngzh0ng l34rner orright bbhunter kingking888 crackercat t43wiu6 geekmc sensi-1337 puzzithinker jorson-chen nanaao boluoha xzhdream polling-repo-continua rabbitsafe cephurs wouijvziqy tobey123 js4m rakisa ak4l3r3 awan-computer fracvx cybersecops 3lch3dar seeyourbug nehbha jabdy86 hydd4436944 vulnerable-apps niaojin 5l1v3r1 cy9nusg4rd3n sxx2022 ciyze0101 eason-zz xxpaike soufianely sec-joe liupanxuexi

apisandbox's Issues

遇到一些小问题~

  1. API1: BrokenObjectLevelAuthorization
    需要登录用户身份会话进行遍历ID。无登陆菜单。使用 /v2/login 一直未成功。
    2.get访问/v2/login提示404
    image

采用gorilla库导致API2的Cookie伪造不可用

稍微跟了一下,gorilla对cookie的处理中,只是用key把session id解出来
然后去找对应的文件读取用户的信息
image

1ff2092410dec2130575256ca648eb1

所以只有在知道session id的情况下才能伪造用户cookie
导致API2: Broken authentication无法正常工作
虽然/static/sessions/路由能看到id,但与预期解法不一致了

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.