vulnerable-apis
vulnerable APIs inspired by https://github.com/mattvaldes/vulnerable-api
Setup
Docker
If, Out of the box
docker pull kmmanoj/vulnerable-apis (may be outdated with respect to the current state of the repo)
Else, Build the application as docker image (preferred)
docker build -t kmmanoj/vulnerable-apis .
Finally, Run the application as docker container
docker run --name vuln-api-instance --rm -it -p 5000:5000 kmmanoj/vulnerable-apis
Traditional way
Create a python virtual environment: virtualenv venv
Activate the virtual environment: source ./venv/bin/activate
Install the dependencies: pip install -r src/requirements.txt
Start the application with specific environment variables: TRANSIENT_DB=true python src/main.py
Fork the collection and the environment in Postman
Open Postman (desktop agent preferrably)
Fork the collection and environment to your own workspace by clicking the Run in Postman button below.
Or separately, fork the collection to a workspace of your choice.
And fork the environment to the same workspace where you forked the above collection.
Set the initial value and current value of the host variable to http://localhost:5000
Go back to the collections and start hacking!
Using util (if using the docker setup)
Login to the container
docker exec -it vuln-api-instance /bin/bash
Navigate to /util to use the JWT token break(or)make tool.
cd /util
Usage of JWT Token break(or)make
Usage:
python3 brute_force_jwt_token.py make - to create a token using a leaked secret
python3 brute_force_jwt_token.py break - to find the secret used by JWT token
NOTE: For non-containerized deployments, find the util directory in the repository itself. The required dependencies are already installed in the virtual environment.
Performance
example
$ ab -n 5000 -c 100 -T 'application/json' -p login.json http://127.0.0.1:5000/user/login
This is ApacheBench, Version 2.3 <$Revision: 1879490 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking 127.0.0.1 (be patient)
Completed 500 requests
Completed 1000 requests
Completed 1500 requests
Completed 2000 requests
Completed 2500 requests
Completed 3000 requests
Completed 3500 requests
Completed 4000 requests
Completed 4500 requests
Completed 5000 requests
Finished 5000 requests
Server Software: Werkzeug/2.0.1
Server Hostname: 127.0.0.1
Server Port: 5000
Document Path: /user/login
Document Length: 68 bytes
Concurrency Level: 100
Time taken for tests: 31.257 seconds
Complete requests: 5000
Failed requests: 0
Non-2xx responses: 5000
Total transferred: 1100000 bytes
Total body sent: 890000
HTML transferred: 340000 bytes
Requests per second: 159.96 [#/sec] (mean)
Time per request: 625.137 [ms] (mean)
Time per request: 6.251 [ms] (mean, across all concurrent requests)
Transfer rate: 34.37 [Kbytes/sec] received
27.81 kb/s sent
62.17 kb/s total
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 0.7 0 6
Processing: 11 620 88.7 628 905
Waiting: 6 614 88.0 623 893
Total: 11 620 88.4 628 905
Percentage of the requests served within a certain time (ms)
50% 628
66% 660
75% 677
80% 686
90% 711
95% 740
98% 838
99% 854
100% 905 (longest request)
4 Aug 8, 2022
2 Jun 6, 2022
26 Dec 26, 2022
309 Jan 2, 2023
7 Sep 30, 2022
6.7k Dec 27, 2022
44 Nov 15, 2022
685 Dec 28, 2022
197 Nov 14, 2022
136 Jan 2, 2023
7 Mar 8, 2022
13 Jul 13, 2022
43 Nov 9, 2022
560 Dec 23, 2022
6 Dec 28, 2022
431 Dec 22, 2022
8 Feb 27, 2022
6 Mar 10, 2022
13 Jan 4, 2022
7 Mar 8, 2022
13 Jul 13, 2022
43 Nov 9, 2022
560 Dec 23, 2022
6 Dec 28, 2022
431 Dec 22, 2022
8 Feb 27, 2022
6 Mar 10, 2022
13 Jan 4, 2022
6 Jan 30, 2022