Skip to content

apisec-inc/urban-VAmPI

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

148 Commits
.github
.github
Β 
Β 
.railway
.railway
Β 
Β 
api_views
api_views
Β 
Β 
database
database
Β 
Β 
models
models
Β 
Β 
openapi_specs
openapi_specs
Β 
Β 
scripts
scripts
Β 
Β 
.dockerignore
.dockerignore
Β 
Β 
.env.example
.env.example
Β 
Β 
.gitignore
.gitignore
Β 
Β 
DEPLOYMENT.md
DEPLOYMENT.md
Β 
Β 
Dockerfile
Dockerfile
Β 
Β 
GITHUB_ACTIONS_SETUP.md
GITHUB_ACTIONS_SETUP.md
Β 
Β 
LICENSE
LICENSE
Β 
Β 
Procfile
Procfile
Β 
Β 
README.md
README.md
Β 
Β 
app.py
app.py
Β 
Β 
config.py
config.py
Β 
Β 
docker-compose.yaml
docker-compose.yaml
Β 
Β 
package.json
package.json
Β 
Β 
railway.json
railway.json
Β 
Β 
requirements.txt
requirements.txt
Β 
Β 
s2.sh
s2.sh
Β 
Β 
start_production.py
start_production.py
Β 
Β 
test-fixed-apisec.js
test-fixed-apisec.js
Β 
Β 

Repository files navigation

VAmPI

The Vulnerable API (Based on OpenAPI 3)

πŸ”± Fork Notice & Security Enhancements

This is a production-ready fork of the original VAmPI project by erev0s, enhanced with enterprise security best practices for safe deployment in controlled environments.

πŸ”’ Production Security Improvements Applied:

  • Non-root Docker user configuration - Container runs with dedicated user account (not root)
  • Enhanced containerization - Production-capable Docker setup with security hardening
  • Deployment-ready configuration - Safe for enterprise CI/CD pipeline integration
  • APIsec integration ready - Configured for automated security scanning workflows

🎯 Purpose:

This fork maintains all original VAmPI vulnerability demonstrations while adding the security foundation necessary for:

  • Enterprise security training environments
  • Automated security scanning demonstrations
  • CI/CD pipeline security testing
  • Production-grade vulnerability assessment workflows

⚠️ Important: While security-hardened for deployment, this API intentionally contains vulnerabilities for educational and testing purposes. Deploy only in controlled environments.

vampi

Docker Image CI Docker Pulls

VAmPI is a vulnerable API made with Flask and it includes vulnerabilities from the OWASP top 10 vulnerabilities for APIs. It was created as I wanted a vulnerable API to evaluate the efficiency of tools used to detect security issues in APIs. It includes a switch on/off to allow the API to be vulnerable or not while testing. This allows to cover better the cases for false positives/negatives. VAmPI can also be used for learning/teaching purposes. You can find a bit more details about the vulnerabilities in erev0s.com.

Features

  • Based on OWASP Top 10 vulnerabilities for APIs.
  • OpenAPI3 specs and Postman Collection included.
  • Global switch on/off to have a vulnerable environment or not.
  • Token-Based Authentication (Adjust lifetime from within app.py)
  • Available Swagger UI to directly interact with the API

VAmPI's flow of actions is going like this: an unregistered user can see minimal information about the dummy users included in the API. A user can register and then login to be allowed using the token received during login to post a book. For a book posted the data accepted are the title and a secret about that book. Each book is unique for every user and only the owner of the book should be allowed to view the secret.

A quick rundown of the actions included can be seen in the following table:

Action Path Details
GET /createdb Creates and populates the database with dummy data
GET / VAmPI home
GET /me Displays the user that is logged in
GET /users/v1 Displays all users with basic information
GET /users/v1/_debug Displays all details for all users
POST /users/v1/register Register new user
POST /users/v1/login Login to VAmPI
GET /users/v1/{username} Displays user by username
DELETE /users/v1/{username} Deletes user by username (Only Admins)
PUT /users/v1/{username}/email Update a single users email
PUT /users/v1/{username}/password Update users password
GET /books/v1 Retrieves all books
POST /books/v1 Add new book
GET /books/v1/{book} Retrieves book by title along with secret

For more details you can either run VAmPI and visit http://127.0.0.1:5000/ui/ or use a service like the swagger editor supplying the OpenAPI specification which can be found in the directory openapi_specs.

List of Vulnerabilities

  • SQLi Injection
  • Unauthorized Password Change
  • Broken Object Level Authorization
  • Mass Assignment
  • Excessive Data Exposure through debug endpoint
  • User and Password Enumeration
  • RegexDOS (Denial of Service)
  • Lack of Resources & Rate Limiting
  • JWT authentication bypass via weak signing key

Run it

It is a Flask application so in order to run it you can install all requirements and then run the app.py. To install all requirements simply run pip3 install -r requirements.txt and then python3 app.py.

Or if you prefer you can also run it through docker or docker compose.

Run it through Docker

docker run -p 5000:5000 erev0s/vampi:latest

[Note: if you run Docker on newer versions of the MacOS, use -p 5001:5000 to avoid conflicting with the AirPlay Receiver service. Alternatively, you could disable the AirPlay Receiver service in your System Preferences -> Sharing settings.]

Run it through Docker Compose

docker-compose contains two instances, one instance with the secure configuration on port 5001 and another with insecure on port 5002:

docker-compose up -d

Available Swagger UI πŸš€

Visit the path /ui where you are running the API and a Swagger UI will be available to help you get started!

http://127.0.0.1:5000/ui/

Customizing token timeout and vulnerable environment or not

If you would like to alter the timeout of the token created after login or if you want to change the environment not to be vulnerable then you can use a few ways depending how you run the application.

  • If you run it like normal with python3 app.py then all you have to do is edit the alive and vuln variables defined in the app.py itself. The alive variable is measured in seconds, so if you put 100, then the token expires after 100 seconds. The vuln variable is like boolean, if you set it to 1 then the application is vulnerable, and if you set it to 0 the application is not vulnerable.
  • If you run it through Docker, then you must either pass environment variables to the docker run command or edit the Dockerfile and rebuild.

    • Docker run example: docker run -d -e vulnerable=0 -e tokentimetolive=300 -p 5000:5000 erev0s/vampi:latest

      • One nice feature to running it this way is you can startup a 2nd container with vulnerable=1 on a different port and flip easily between the two.

    • In the Dockerfile you will find two environment variables being set, the ENV vulnerable=1 and the ENV tokentimetolive=60. Feel free to change it before running the docker build command.

Frequently asked questions

  • There is a database error upon reaching endpoints!
    • Make sure to issue a request towards the endpoint /createdb in order to populate the database.

Picture from freepik - www.freepik.com

Getting Started

Essential curl commands Database must be initialized on first deploy

curl -s https://urban-vampi-production.up.railway.app/users/v1 | head -20
curl -s https://urban-vampi-production.up.railway.app/createdb
curl -s https://urban-vampi-production.up.railway.app/users/v1
# Connect to staging
railway environment staging
# Check environments and their triggers
railway service urban-VAmPI# && railway status

Link current dir to staging

railway link -p 2e10ac7e-3afd-460c-956d-ce5a9a84577c

Troubleshooting environments and deployments

# Initial Railway environment check
railway status

# Switch to production environment and check service
railway environment production
railway service urban-VAmPI#
railway status

# Check production domain 
railway domain

# Check environment variables in production
railway variables

# Test API endpoints
curl -s https://urban-vampi-production.up.railway.app/createdb
curl -s https://urban-vampi-production.up.railway.app/users/v1

# Check git branch structure
git branch -a

# Switch to staging environment
railway environment staging
railway service urban-VAmPI# && railway status

# Check git remotes
git remote -v

# Check recent commit history
git log --oneline -5

# Test deployment behavior - make a test change
git add . && git commit -m "test: deployment strategy tracking comment" && git push origin master

# Monitor environments after push
railway environment production && railway service urban-VAmPI#
curl -s https://urban-vampi-production.up.railway.app/ | grep -o "VAmPI.*API"

railway environment staging && railway service urban-VAmPI#
railway logs | head -5

# Final status check
railway status

# Service Validation
echo "=== STAGING ENVIRONMENT ===" && curl -s https://urban-vampi-staging.up.railway.app/ | grep -o "VAmPI.*API" && echo -e "\n=== PRODUCTION ENVIRONMENT ===" && curl -s https://urban-vampi-production.up.railway.app/ | grep -o "VAmPI.*API"

# Comprehensive Service Validation
echo "=== VAMPI DEPLOYMENT STATUS REPORT ===" && echo "Generated: $(date)" && echo -e "\nπŸš€ STAGING ENVIRONMENT:" && echo "URL: https://urban-vampi-staging.up.railway.app" && echo "Status: $(curl -s https://urban-vampi-staging.up.railway.app/ | jq -r '.message // "Error"')" && echo "Users: $(curl -s https://urban-vampi-staging.up.railway.app/users/v1 | jq -r '.users | length') users loaded" && echo -e "\n🏭 PRODUCTION ENVIRONMENT:" && echo "URL: https://urban-vampi-production.up.railway.app" && echo "Status: $(curl -s https://urban-vampi-production.up.railway.app/ | jq -r '.message // "Error"')" && echo "Users: $(curl -s https://urban-vampi-production.up.railway.app/users/v1 | jq -r '.users | length') users loaded"

VAmPI Home Endpoint and Deployemnt Test Endpoint 9.1

curl https://urban-vampi-staging.up.railway.app/
curl https://urban-vampi-staging.up.railway.app/deployment-test

Railway Operations & Deployment Guide

Current Environment Setup

Manual Deployment Commands

Deploy to Staging

git checkout develop
git pull origin develop
railway environment staging
railway up
# check that staging endpoints are live
curl -s https://urban-vampi-staging.up.railway.app/ | head -1 && \
curl -s https://urban-vampi-staging.up.railway.app/deployment-test

Deploy to Production

git checkout master
git pull origin master
railway environment production
railway up
# check that production endpoints are live
curl -s https://urban-vampi-production.up.railway.app/ | head -1
curl -s https://urban-vampi-production.up.railway.app/deployment-test

Railway Environment Management

# Check current status
railway status

# Switch environments
railway environment staging
railway environment production

# Link service if disconnected
railway service urban-VAmPI#

# View logs
railway logs

# Check environment variables
railway variables

# Set environment variables
railway variables set KEY=value

Environment Variables Configuration

Both Environments

PORT=5000  # Railway's expected port

Staging Environment

RAILWAY_ENVIRONMENT=staging
vulnerable=1  # Enable vulnerable mode for testing

Production Environment

RAILWAY_ENVIRONMENT=production
vulnerable=0  # Disable vulnerable mode for security

Troubleshooting

  • Build fails: Check Railway dashboard build logs
  • Service disconnected: Run railway service urban-VAmPI#
  • Environment issues: Verify variables with railway variables
  • Deploy fails: Check railway.json configuration and start_production.py

Note: Due to corporate GitHub restrictions, auto-deploy webhooks are not available. All deployments are manual via Railway CLI. See DEPLOYMENT.md for detailed Git workflow instructions.

πŸ€– Automated Deployment Status

GitLab Runners take forever to process a workflow; Use manual deploy!!

βœ… STAGING: FULLY OPERATIONAL

Automated staging deployment is active and working:

  • πŸš€ Push to develop β†’ Auto-deploy to staging in ~1m 20s
  • βœ… RAILWAY_TOKEN_STAGING configured and tested
  • βœ… Health checks passing consistently
  • βœ… GitHub Actions workflow proven reliable

βœ… PRODUCTION: READY FOR ACTIVATION

Production deployment is configured and ready:

  • 🎯 Push to master β†’ Auto-deploy to production
  • βœ… RAILWAY_TOKEN configured for production environment
  • πŸ”’ Environment protection enabled for safety
  • πŸ”§ Debug logging added for troubleshooting

πŸ‘‰ See GITHUB_ACTIONS_SETUP.md for complete setup instructions

Current Deployment Options:

Option 1: βœ… Automated (Staging Proven, Production Ready)

  • Push to develop β†’ Automatic staging deployment (proven)
  • Push to master β†’ Production deployment (configured)
  • Built-in health checks and verification
  • ~1m 20s deployment + GitHub runner queue time

Option 2: βœ… Manual (Always Available)

  • Railway CLI commands (see above)
  • Full control over deployment process
  • Immediate feedback and troubleshooting
  • Reliable fallback method (~30-60s total)

Test Commands:

# Test current staging deployment
curl https://urban-vampi-staging.up.railway.app/
curl https://urban-vampi-staging.up.railway.app/deployment-test

# Test current production deployment  
curl https://urban-vampi-production.up.railway.app/
curl https://urban-vampi-production.up.railway.app/deployment-test

# Trigger new automated deployments
git push origin develop  # β†’ Staging
git push origin master   # β†’ Production

Benefits:

  • βœ… Corporate-friendly: No Railway GitHub app required
  • βœ… Staging proven: 100% success rate in testing
  • βœ… Production ready: Configured with debug logging
  • βœ… Fast deployments: ~1m 20s (+ GitHub runner queue)
  • βœ… Manual fallback: Railway CLI always available (~30-60s)
  • βœ… Security: Environment-specific tokens + GitHub secrets
  • βœ… Audit trail: Complete deployment history in GitHub Actions

About

Modified for CI/CD Demo: Vulnerable REST API with OWASP top 10 vulnerabilities for security testing

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

2 forks
Report repository

Releases

2 tags

Packages

 
 
 

Contributors

Languages