Hi,

I have seen your readme but i feel we should have some ref table showing which exploit top 10 category is present in which endpoint. Because i mapped one specific endpoint to available vulnerabilities but then same vulnerability my colleague mapped to another and we don't have any clarity which one is a valid endpoint to test those vulnerabilities.

Also having proper solution will be great. Let me know if need any help !

Thanks,
Janibasha

Linux version: Ubuntu 22.04.1
Summary: flask-sqlalchemy version when installing requirements.txt is incompatible and raises error shown below:

AttributeError: module 'sqlalchemy' has no attribute 'all'. Did you mean: 'file'?

Following updated requirements.txt solves this error:

connexion~=2.7.0
flask~=2.2
flask-sqlalchemy>=3.0.2
jsonschema~=3.2.0
sqlalchemy
swagger-ui-bundle
PyJWT~=1.7.1
markupsafe==2.1.1

Hello,

Firstly, thank you for this very pleasant project!

I've encountered an ambiguity multiple times during my tests on the /users/v1/register endpoint. When using the image from Docker Hub, I don't get the same result when attempting to promote myself to admin on the API. Specifically, I am unable to perform this privilege escalation from the container linked to the image on Docker Hub, but only through the one I manually build via the project's Dockerfile.

Here are the data I'm sending to the API:

jsonCopy code

{ "username": "test2", "password": "test", "email": "[email protected]", "admin": "True" }

I want to mention that I also tested with "admin": true.

Here are my tests in more detail with Postman:

Test using the project's Dockerfile

• User Creation

• Debug Mode: It's observed that the newly added user is an admin!

Test using the image stored on Docker Hub

• User Creation

• Debug Mode: It's observed that the newly added user is not an admin...

Is this an issue with the image not being updated on Docker Hub? (Last release: 4 months ago: Docker Hub Link)

I am available if you need more information.

Best regards,

Archidote

Hello,
the admin parameter of the user is store as boolean in the system, but in register_user is it treated like a string. Typically, mass assignment vulnerabilities are present because a REST API framework directly maps an HTTP parameter to an attribute in the system. To make the example closer to reality, try to mimic this behavior by accepting a boolean parameter rather than a string.

How to get bearer token

Hello,
some operations in the OpenAPI specification does not provide a response schema, e.g., in the GET /users/v1 operation the response schema for the 200 status code is empty ({}), but it should be an array of user objects.
Could you please update the specification with the response schemas?

First of all, man, your work is awesome!
I'm using it to teach my students how to make web more secured.

I want to advise some ides, what can be used in continuation of your fantastic project:

What about adding some kind of RCE and docker container hardening?
For example, your awesome app can started as container inside VM in 4 variants:

1. Vulnerable APP + Vulnerable container, including RCE and non hardened docker container = RCE -> docker escape on VM
2. Vulnerable APP + Not Vulnerable container, including RCE and hardened docker container = RCE, but no docker escape on VM
3. Not Vulnerable APP + Vulnerable container, no RCE and hardened docker container = no docker escape, but container may be DOSed.
4. Not Vulnerable APP + Not Vulnerable container, no RCE and hardened docker container = All Ok!

According to this:
https://github.com/OWASP/Docker-Security
https://github.com/OWASP/Docker-Security/blob/main/dist/owasp-docker-security.pdf
https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html

The get_user method in the models/user_model.py return the _ repr _ format when vulnerable=0.

Example

$ curl "http://localhost:5000/users/v1/name1"
<User(name=name1, [email protected])>

This not happen when the vulnerable environment is True, because in that scenario the response is a formatted string, meanwhile in this one it returns the first user object found:

78   else:
79     fin_query = User.query.filter_by(username=username).first()

Possible solution:

We can take advance of the json class method to return the user data:

      else:
          user = User.query.filter_by(username=username).first()
          fin_query = user.json() if user else None
      return fin_query

Note: Calling .json() of a NoneType object could raise an error, so we must check if exists first.

But the .json() class method encloses the value in single quotes. That's not the standard json syntax we are looking for. A better solution could be like this:

      else:
          user = User.query.filter_by(username=username).first()
          fin_query = str(User.json(user)).replace("'",'"') if user else None
      return fin_query

Result:

$ curl "http://localhost:5000/users/v1/name1" # not vuln
{"username": "name1", "email": "[email protected]"}

$ curl "http://localhost:5001/users/v1/name1" # vuln
{"username": "name1", "email": "[email protected]"}

Following the default requirements.txt causes error when run the docker image

Traceback (most recent call last):
  File "app.py", line 1, in <module>
    from config import vuln_app
  File "/vampi/config.py", line 2, in <module>
    import connexion
  File "/usr/local/lib/python3.7/site-packages/connexion/__init__.py", line 5, in <module>
    from .apis import AbstractAPI  # NOQA
  File "/usr/local/lib/python3.7/site-packages/connexion/apis/__init__.py", line 1, in <module>
    from .abstract import AbstractAPI  # NOQA
  File "/usr/local/lib/python3.7/site-packages/connexion/apis/abstract.py", line 16, in <module>
    from ..spec import Specification
  File "/usr/local/lib/python3.7/site-packages/connexion/spec.py", line 5, in <module>
    import jinja2
  File "/usr/local/lib/python3.7/site-packages/jinja2/__init__.py", line 12, in <module>
    from .environment import Environment
  File "/usr/local/lib/python3.7/site-packages/jinja2/environment.py", line 25, in <module>
    from .defaults import BLOCK_END_STRING
  File "/usr/local/lib/python3.7/site-packages/jinja2/defaults.py", line 3, in <module>
    from .filters import FILTERS as DEFAULT_FILTERS  # noqa: F401
  File "/usr/local/lib/python3.7/site-packages/jinja2/filters.py", line 13, in <module>
    from markupsafe import soft_unicode
ImportError: cannot import name 'soft_unicode' from 'markupsafe' (/usr/local/lib/python3.7/site-packages/markupsafe/__init__.py)

Add version requirements on markupsafe==2.0.2 package solves the issue, but I haven't checked if the docker can function normally.

The usename parameter requires a string type value, but when characters containing special characters are passed in, a response with a 500 response code is received

API PATH

/user/v1/{username}

Method

GET

Example

curl http://localhost:5000/users/v1/'jp#>2Q&h

Love this project! Thank you.
Opening an issue to use w/ a PR I'm about to submit.

To make it even easier and more powerful to use as a teaching tool, it is handy to run one instance of VAmPI securely (vulnerable=0) and another insecure instance running in parallel on a different port (vulnerable=1). Your use of ENV within the Dockerfile makes this dead simple and adjustments to the README are all that is needed.

Also ran into a conflict w/ port 5000 on Mac OSX, so put in a note about two ways to resolve that.

I'm running a relatively stock, updated Ubuntu 20.04 box and I'm hitting a docker build issue. One of the python dependencies pulls in a package called greenlet, which is compiling against the python development headers and using the g++ compile.

Hello!
Is there API endpoint like http://127.0.0.1:5000/v3/api-docs for get API definition document?
It will be suitable for OWASP ZAP test automation with your instance for example.
Thank you!

URL: https://hub.docker.com

Hi,

I can see doc says this demo app supports multiple attacks but i don't see attack payloads. So can you please share them so i can also test these attacks.

Thanks,
Jani