Vulnerable APIs
Here are some intentionally vulnerable APIs
Juice Shop
Project Homepage: Juiceshop
Run locally on port 3000 with:
docker pull bkimminich/juice-shop
docker run -d --rm -p 3000:3000 bkimminich/juice-shop
VAmPI:
- Project Homepage: VAmPI
- OpenAPI spec
Run locally on port 5001 and with:
git clone https://github.com/erev0s/VAmPI
cd VAmPI
docker-compose up -d
CrAPI
- Project Homepage: crAPI
Run locally on port 8888 with:
git clone https://github.com/OWASP/crAPI
cd crAPI/deploy/docker/
docker-compose -f docker-compose.yml --compatibility up -d
vAPI
- Project Homepage: vAPI
- Vulnerable API writeup
Run locally on port 8081 with:
docker run -tid -p 8081:8081 --name api mkam/vulnerable-api-demo
Test APIs
Here are some test APIs that are for generally testing, not intentionally vulnerable
Httpbin
Project Homepage: Httpbin
Run locally on port 4000 with:
docker run -p 4000:80 kennethreitz/httpbin
Sockshop
Run locally with:
git clone https://github.com/microservices-demo/microservices-demo
cd microservices-demo
docker-compose -f deploy/docker-compose/docker-compose.yml up -d
Damn Vulnerable GraphQL Application
- DVGA
- Docker Hub image: dolevf/dvga
# Pull the docker image from Docker Hub
docker pull dolevf/dvga
# Create a container from the image
docker run -t -p 5013:5013 -e WEB_HOST=0.0.0.0 dolevf/dvga
Generic-University
docker pull busk3r/genericuniversity:latest
docker run --name genericuniversity -itd --rm -p 80:8000 busk3r/genericuniversity && docker exec genericuniversity service mysql start && docker exec genericuniversity mysql -u root -p -e "ALTER USER 'root'@'localhost' IDENTIFIED BY 'password';"
docker exec genericuniversity php /root/Generic-University/artisan serve --host 0.0.0.0
#Go to 127.0.0.1 or system IP you're using.
REST API Goat
docker build -t rest-api-goat:latest .
docker run -d -p 5000:5000 rest-api-goat
#Test at http://localhost:5000/
vulnapi
docker build --tag vulnapi .
docker run -it --rm -p8000:8000 vulnapi
# open http://IP_OF_HOST:8000/docs in a webbrowser.
APISandbox
# Download Project
wget https://github.com/API-Security/APISandbox/archive/refs/heads/main.zip -O APISandbox-main.zip
unzip APISandbox-main.zip
cd APISandbox-main
# Enter Project root
cd OWASPApiTop10
# Build Docker compose stack
docker-compose build
# Run Application on docker
docker-compose up -d
Misc
Here are some other test APIs
MS Demo Conference API
Mockbin
- Project home: Mockbin
Damn Vulnerable Microservices (DVMS)
dvws-node
- This is a replacement for https://github.com/snoopysecurity/dvws