{ "info": { "_postman_id": "054ba5ba-7ee9-48a7-9dc6-09ad497404e6", "name": "vAPI", "description": "vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API Interface that mimics OWASP API Top 10 scenarios in the means of Exercises.", "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json" }, "item": [ { "name": "API1", "item": [ { "name": "Create User", "event": [ { "listen": "test", "script": { "exec": [ "var jsonData = JSON.parse(responseBody);\r", "var api1_id = jsonData.id;\r", "console.log(\"API 1 User ID : \"+api1_id);\r", "postman.setEnvironmentVariable(\"api1_id\",api1_id);\r", "var reqData = JSON.parse(request.data);\r", "var api1_username=reqData.username;\r", "var api1_password=reqData.password;\r", "var api1_auth=btoa(api1_username+\":\"+api1_password);\r", "console.log(\"API 1 Auth : \"+api1_auth);\r", "postman.setEnvironmentVariable(\"api1_auth\",api1_auth);\r", "" ], "type": "text/javascript" } } ], "request": { "auth": { "type": "noauth" }, "method": "POST", "header": [ { "key": "Content-Type", "value": "application/json", "type": "text" }, { "key": "Accept", "value": "application/json", "type": "text" } ], "body": { "mode": "raw", "raw": "{\r\n \"username\": \"\",\r\n \"name\": \"\",\r\n \"course\": \"\",\r\n \"password\": \"\"\r\n}" }, "url": { "raw": "http://{{host}}/vapi/api1/user", "protocol": "http", "host": [ "{{host}}" ], "path": [ "vapi", "api1", "user" ] } }, "response": [] }, { "name": "Get User", "event": [ { "listen": "prerequest", "script": { "exec": [ "" ], "type": "text/javascript" } } ], "request": { "method": "GET", "header": [ { "key": "Authorization-Token", "value": "{{api1_auth}}", "type": "text" }, { "key": "Content-Type", "value": "application/json", "type": "text" } ], "url": { "raw": "http://{{host}}/vapi/api1/user/{{api1_id}}", "protocol": "http", "host": [ "{{host}}" ], "path": [ "vapi", "api1", "user", "{{api1_id}}" ] } }, "response": [] }, { "name": "Update User", "event": [ { "listen": "test", "script": { "exec": [ "var jsonData = JSON.parse(responseBody);\r", "var api1_id = jsonData.id;\r", "console.log(\"API 1 User ID : \"+api1_id);\r", "postman.setEnvironmentVariable(\"api1_id\",api1_id);\r", "var reqData = JSON.parse(request.data);\r", "var api1_username=reqData.username;\r", "var api1_password=reqData.password;\r", "var api1_auth=btoa(api1_username+\":\"+api1_password);\r", "console.log(\"API 1 Auth : \"+api1_auth);\r", "postman.setEnvironmentVariable(\"api1_auth\",api1_auth);\r", "" ], "type": "text/javascript" } } ], "request": { "auth": { "type": "noauth" }, "method": "PUT", "header": [ { "key": "Authorization-Token", "value": "{{api1_auth}}", "type": "text" }, { "key": "Content-Type", "value": "application/json", "type": "text" } ], "body": { "mode": "raw", "raw": "{\r\n \"username\":\"\",\r\n \"name\":\"\",\r\n \"course\":\"\",\r\n \"password\":\"\"\r\n}" }, "url": { "raw": "http://{{host}}/vapi/api1/user/{{api1_id}}", "protocol": "http", "host": [ "{{host}}" ], "path": [ "vapi", "api1", "user", "{{api1_id}}" ] } }, "response": [] } ], "description": "Broken Object Level Authorization\r\n\r\nYou can register yourself as a User , Thats it ....or is there something more?", "event": [ { "listen": "prerequest", "script": { "type": "text/javascript", "exec": [ "" ] } }, { "listen": "test", "script": { "type": "text/javascript", "exec": [ "" ] } } ] }, { "name": "API2", "item": [ { "name": "User Login", "event": [ { "listen": "test", "script": { "exec": [ "var jsonData = JSON.parse(responseBody);\r", "var api2_auth = jsonData.token;\r", "console.log(\"API 2 Auth : \"+api2_auth);\r", "postman.setEnvironmentVariable(\"api2_auth\",api2_auth);" ], "type": "text/javascript" } } ], "request": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/json", "type": "text" } ], "body": { "mode": "raw", "raw": "{\r\n \"email\":\"\",\r\n \"password\":\"\"\r\n}" }, "url": { "raw": "http://{{host}}/vapi/api2/user/login", "protocol": "http", "host": [ "{{host}}" ], "path": [ "vapi", "api2", "user", "login" ] } }, "response": [] }, { "name": "Get Details", "request": { "method": "GET", "header": [ { "key": "Authorization-Token", "type": "text", "value": "{{api2_auth}}" } ], "url": { "raw": "http://{{host}}/vapi/api2/user/details", "protocol": "http", "host": [ "{{host}}" ], "path": [ "vapi", "api2", "user", "details" ] } }, "response": [] } ], "description": "Broken Authentication\r\n\r\nWe don't seem to have credentials for this , How do we login? (There's something in the Resources Folder given to you )", "event": [ { "listen": "prerequest", "script": { "type": "text/javascript", "exec": [ "" ] } }, { "listen": "test", "script": { "type": "text/javascript", "exec": [ "" ] } } ] }, { "name": "API3", "item": [ { "name": "Create User", "request": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/json", "type": "text" } ], "body": { "mode": "raw", "raw": "{\r\n \"username\":\"\",\r\n \"password\":\"\",\r\n \"name\":\"\"\r\n}" }, "url": { "raw": "http://{{host}}/vapi/api3/user", "protocol": "http", "host": [ "{{host}}" ], "path": [ "vapi", "api3", "user" ] } }, "response": [] } ], "description": "Excessive Data Exposure\r\n\r\nWe have all been there , right? Giving away too much data and the Dev showing it . Try the Android App in the Resources folder", "event": [ { "listen": "prerequest", "script": { "type": "text/javascript", "exec": [ "" ] } }, { "listen": "test", "script": { "type": "text/javascript", "exec": [ "" ] } } ] }, { "name": "API4", "item": [ { "name": "Mobile Login", "request": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/json", "type": "text" } ], "body": { "mode": "raw", "raw": "{\r\n \"mobileno\":\"8000000535\"\r\n}" }, "url": { "raw": "http://{{host}}/vapi/api4/login", "protocol": "http", "host": [ "{{host}}" ], "path": [ "vapi", "api4", "login" ] } }, "response": [] }, { "name": "Verify OTP", "event": [ { "listen": "test", "script": { "exec": [ "var jsonData = JSON.parse(responseBody);\r", "var api4_key = jsonData.key;\r", "console.log(\"API 4 Key : \"+api4_key);\r", "postman.setEnvironmentVariable(\"api4_key\",api4_key);" ], "type": "text/javascript" } } ], "request": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/json", "type": "text" } ], "body": { "mode": "raw", "raw": "{\r\n \"otp\":\"9999\"\r\n}" }, "url": { "raw": "http://{{host}}/vapi/api4/otp/verify", "protocol": "http", "host": [ "{{host}}" ], "path": [ "vapi", "api4", "otp", "verify" ] } }, "response": [] }, { "name": "Get Details", "request": { "method": "GET", "header": [ { "key": "Authorization-Token", "value": "{{api4_key}}", "type": "text" }, { "key": "Content-Type", "value": "application/json", "type": "text" } ], "url": { "raw": "http://{{host}}/vapi/api4/user", "protocol": "http", "host": [ "{{host}}" ], "path": [ "vapi", "api4", "user" ] } }, "response": [] } ], "description": "Lack of Resources & Rate Limiting\r\n\r\nWe believe OTPs are a great way of authenticating users and secure too if implemented correctly!", "event": [ { "listen": "prerequest", "script": { "type": "text/javascript", "exec": [ "" ] } }, { "listen": "test", "script": { "type": "text/javascript", "exec": [ "" ] } } ] }, { "name": "API5", "item": [ { "name": "Create User", "event": [ { "listen": "test", "script": { "exec": [ "var jsonData = JSON.parse(responseBody);\r", "var api5_id = jsonData.id;\r", "console.log(\"API 5 User ID : \"+api5_id);\r", "postman.setEnvironmentVariable(\"api5_id\",api5_id);\r", "var reqData = JSON.parse(request.data);\r", "var api5_username=reqData.username;\r", "var api5_password=reqData.password;\r", "var api5_auth=btoa(api5_username+\":\"+api5_password);\r", "console.log(\"API 5 Auth : \"+api5_auth);\r", "postman.setEnvironmentVariable(\"api5_auth\",api5_auth);\r", "" ], "type": "text/javascript" } } ], "request": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/json", "type": "text" } ], "body": { "mode": "raw", "raw": "{\r\n \"username\":\"testuser2\",\r\n \"password\":\"test123\",\r\n \"name\":\"Test User\",\r\n \"address\":\"ABC\",\r\n \"mobileno\":\"888888888\"\r\n}" }, "url": { "raw": "http://{{host}}/vapi/api5/user", "protocol": "http", "host": [ "{{host}}" ], "path": [ "vapi", "api5", "user" ] } }, "response": [] }, { "name": "Get User", "request": { "method": "GET", "header": [ { "key": "Authorization-Token", "value": "{{api5_auth}}", "type": "text" } ], "url": { "raw": "http://{{host}}/vapi/api5/user/{{api5_id}}", "protocol": "http", "host": [ "{{host}}" ], "path": [ "vapi", "api5", "user", "{{api5_id}}" ] } }, "response": [] } ], "description": "Broken Function Level Authorization\r\n\r\nYou can register yourself as a User. Thats it or is there something more? (I heard admin logins often but uses different route)", "event": [ { "listen": "prerequest", "script": { "type": "text/javascript", "exec": [ "" ] } }, { "listen": "test", "script": { "type": "text/javascript", "exec": [ "" ] } } ] }, { "name": "API6", "item": [ { "name": "Create User", "event": [ { "listen": "test", "script": { "exec": [ "var reqData = JSON.parse(request.data);\r", "var api6_username=reqData.username;\r", "var api6_password=reqData.password;\r", "var api6_auth=btoa(api6_username+\":\"+api6_password);\r", "console.log(\"API 6 Auth : \"+api6_auth);\r", "postman.setEnvironmentVariable(\"api6_auth\",api6_auth);" ], "type": "text/javascript" } } ], "request": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/json", "type": "text" } ], "body": { "mode": "raw", "raw": "{\r\n \"name\":\"\",\r\n \"username\":\"\",\r\n \"password\":\"\"\r\n}" }, "url": { "raw": "http://{{host}}/vapi/api6/user", "protocol": "http", "host": [ "{{host}}" ], "path": [ "vapi", "api6", "user" ] } }, "response": [] }, { "name": "Get User", "request": { "method": "GET", "header": [ { "key": "Authorization-Token", "value": "{{api6_auth}}", "type": "text" } ], "url": { "raw": "http://{{host}}/vapi/api6/user/me", "protocol": "http", "host": [ "{{host}}" ], "path": [ "vapi", "api6", "user", "me" ] } }, "response": [] } ], "description": "Mass Assignment\r\n\r\nWelcome to our store , We will give you credits if you behave nicely. Our credit management is super secure", "event": [ { "listen": "prerequest", "script": { "type": "text/javascript", "exec": [ "" ] } }, { "listen": "test", "script": { "type": "text/javascript", "exec": [ "" ] } } ] }, { "name": "API7", "item": [ { "name": "Create User", "event": [ { "listen": "test", "script": { "exec": [ "var reqData = JSON.parse(request.data);\r", "var api7_username=reqData.username;\r", "var api7_password=reqData.password;\r", "var api7_auth=btoa(api7_username+\":\"+api7_password);\r", "console.log(\"API 7 Auth : \"+api7_auth);\r", "postman.setEnvironmentVariable(\"api7_auth\",api7_auth);\r", "" ], "type": "text/javascript" } } ], "request": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/json", "type": "text" } ], "body": { "mode": "raw", "raw": "{\r\n \"username\":\"\",\r\n \"password\":\"\"\r\n}" }, "url": { "raw": "http://{{host}}/vapi/api7/user", "protocol": "http", "host": [ "{{host}}" ], "path": [ "vapi", "api7", "user" ] } }, "response": [] }, { "name": "User Login", "request": { "method": "GET", "header": [ { "key": "Authorization-Token", "value": "{{api7_auth}}", "type": "text" }, { "warning": "This is a duplicate header and will be overridden by the Content-Type header generated by Postman.", "key": "Content-Type", "value": "application/json", "type": "text" } ], "url": { "raw": "http://{{host}}/vapi/api7/user/login", "protocol": "http", "host": [ "{{host}}" ], "path": [ "vapi", "api7", "user", "login" ] } }, "response": [] }, { "name": "Get Key", "request": { "method": "GET", "header": [ { "key": "Content-Type", "value": "application/json", "type": "text" } ], "url": { "raw": "http://{{host}}/vapi/api7/user/key", "protocol": "http", "host": [ "{{host}}" ], "path": [ "vapi", "api7", "user", "key" ] } }, "response": [] }, { "name": "User Logout", "request": { "method": "GET", "header": [ { "key": "Content-Type", "value": "application/json", "type": "text" } ], "url": { "raw": "http://{{host}}/vapi/api7/user/logout", "protocol": "http", "host": [ "{{host}}" ], "path": [ "vapi", "api7", "user", "logout" ] } }, "response": [] } ], "description": "Security Misconfiguration\r\n\r\nHey , its an API right? so we ARE expecting Cross Origin Requests . We just hope it works fine.", "event": [ { "listen": "prerequest", "script": { "type": "text/javascript", "exec": [ "" ] } }, { "listen": "test", "script": { "type": "text/javascript", "exec": [ "" ] } } ] }, { "name": "API8", "item": [ { "name": "User Login", "event": [ { "listen": "test", "script": { "exec": [ "var jsonData = JSON.parse(responseBody);\r", "var api8_auth = jsonData.authkey;\r", "console.log(\"API 8 Auth : \"+api8_auth);\r", "postman.setEnvironmentVariable(\"api8_auth\",api8_auth);" ], "type": "text/javascript" } } ], "request": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/json", "type": "text" } ], "body": { "mode": "raw", "raw": "{\r\n \"username\":\"\",\r\n \"password\":\"\"\r\n}" }, "url": { "raw": "http://{{host}}/vapi/api8/user/login", "protocol": "http", "host": [ "{{host}}" ], "path": [ "vapi", "api8", "user", "login" ] } }, "response": [] }, { "name": "Get Secret", "request": { "method": "GET", "header": [ { "key": "Authorization-Token", "value": "{{api8_auth}}", "type": "text" } ], "url": { "raw": "http://{{host}}/vapi/api8/user/secret", "protocol": "http", "host": [ "{{host}}" ], "path": [ "vapi", "api8", "user", "secret" ] } }, "response": [] } ], "description": "Injection\r\n\r\nI think you won't get credentials for this.You can try to login though.", "event": [ { "listen": "prerequest", "script": { "type": "text/javascript", "exec": [ "" ] } }, { "listen": "test", "script": { "type": "text/javascript", "exec": [ "" ] } } ] }, { "name": "API9", "item": [ { "name": "v2", "item": [ { "name": "Login", "request": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/json", "type": "text" } ], "body": { "mode": "raw", "raw": "{\r\n \"username\":\"richardbranson\",\r\n \"pin\":\"****\"\r\n}" }, "url": { "raw": "http://{{host}}/vapi/api9/v2/user/login", "protocol": "http", "host": [ "{{host}}" ], "path": [ "vapi", "api9", "v2", "user", "login" ] } }, "response": [] } ] } ], "description": "Improper Assets Management\r\n\r\nHey Good News!!!!! We just launched our v2 API :)", "event": [ { "listen": "prerequest", "script": { "type": "text/javascript", "exec": [ "" ] } }, { "listen": "test", "script": { "type": "text/javascript", "exec": [ "" ] } } ] }, { "name": "API10", "item": [ { "name": "Get Flag", "request": { "method": "GET", "header": [ { "key": "Content-Type", "value": "application/json", "type": "text" } ], "url": { "raw": "http://{{host}}/vapi/api10/user/flag", "protocol": "http", "host": [ "{{host}}" ], "path": [ "vapi", "api10", "user", "flag" ] }, "description": "I am not kidding!" }, "response": [] } ], "description": "Nothing has been logged or monitored , You caught us :( !", "event": [ { "listen": "prerequest", "script": { "type": "text/javascript", "exec": [ "" ] } }, { "listen": "test", "script": { "type": "text/javascript", "exec": [ "" ] } } ] }, { "name": "Arena", "item": [ { "name": "JustWeakToken", "item": [ { "name": "Create User", "event": [ { "listen": "test", "script": { "exec": [ "var jsonData = JSON.parse(responseBody);\r", "var token = jsonData.token;\r", "console.log(\"JustWeakToken : \"+token);\r", "postman.setEnvironmentVariable(\"justweaktoken\",token);" ], "type": "text/javascript" } } ], "request": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/json", "type": "text" } ], "body": { "mode": "raw", "raw": "{\r\n \"username\":\"\",\r\n \"password\":\"\"\r\n}" }, "url": { "raw": "{{host}}/vapi/jwt/user", "host": [ "{{host}}" ], "path": [ "vapi", "jwt", "user" ] } }, "response": [] }, { "name": "Get User", "request": { "method": "GET", "header": [ { "key": "Content-Type", "value": "application/json", "type": "text" }, { "key": "Authorization-Token", "value": "{{justweaktoken}}", "type": "text" } ], "url": { "raw": "{{host}}/vapi/jwt/user", "host": [ "{{host}}" ], "path": [ "vapi", "jwt", "user" ] } }, "response": [] } ] }, { "name": "ServerSurfer", "item": [ { "name": "Get Data", "protocolProfileBehavior": { "disableBodyPruning": true }, "request": { "method": "GET", "header": [ { "key": "", "value": "", "type": "text", "disabled": true } ], "body": { "mode": "raw", "raw": "" }, "url": { "raw": "{{host}}/vapi/serversurfer?url=https://roottusk.com", "host": [ "{{host}}" ], "path": [ "vapi", "serversurfer" ], "query": [ { "key": "url", "value": "https://roottusk.com" } ] } }, "response": [] } ] }, { "name": "StickyNotes", "item": [ { "name": "Store a Note", "request": { "method": "POST", "header": [ { "key": "Content-Type", "value": "application/json", "type": "default" } ], "body": { "mode": "raw", "raw": "{\n \"note\":\"Hello I am Tushar\"\n}" }, "url": { "raw": "{{host}}/vapi/stickynotes", "host": [ "{{host}}" ], "path": [ "vapi", "stickynotes" ] } }, "response": [] }, { "name": "Get Notes", "request": { "method": "GET", "header": [], "url": { "raw": "{{host}}/vapi/stickynotes?format=json", "host": [ "{{host}}" ], "path": [ "vapi", "stickynotes" ], "query": [ { "key": "format", "value": "html" } ] } }, "response": [] } ] } ] } ], "event": [ { "listen": "prerequest", "script": { "type": "text/javascript", "exec": [ "" ] } }, { "listen": "test", "script": { "type": "text/javascript", "exec": [ "" ] } } ] }