CorpAPI – A Vulnerable API For Testing

Wanting to improve my Python programming and API penetration testing has long been on my to-do list. Finally, with some free time on my hands, I opted to build a vulnerable-by-design API, that is freely accessible to everyone to try their hands at.

The API is built on Python’s Flask web framework and includes several common vulnerabilities and security configurations that often plague APIs. These vulnerabilities range from excessive data exposure to arbitrary file read. Additionally, I have also included 2 flags which can be found by exploiting one or more vulnerabilities, here’s a list of the current security issues;

  • Information Disclosure
  • Excessive Data Exposure
  • Broken Object Level Authorization
  • Arbitrary File Read
  • Broken Function Level Authorization
  • SQL Injection

Codenamed “CorpAPI”, I’ve tried to implement vulnerabilities which could be found in the real world. For example, APIs are often updated, which can cause old outdated information to be left behind. This information can reveal additional functionality which should not be publically accessible.

Moving forward I fully intend to keep adding more functionality and vulnerabilities to CorpAPI. Any updates and changes can be tracked by heading to our Github repository, here’s a link.

Spread the love