search

OWASP / API-Security

OWASP API Security Project
https://owasp.org/www-project-api-security/
Other
2.07k stars 377 forks source link

Need a demo application having all top 10 api risks #97

Closed janibashamd closed 1 year ago

janibashamd commented 1 year ago

Hello All,

I have some hands on OWASP web security TOP 10 and have also published articles for ex: https://community.f5.com/t5/technical-articles/mitigating-owasp-top-10-a07-2021-identification-and/ta-p/297734 https://community.f5.com/t5/technical-articles/mitigating-owasp-top-10-a03-2021-injection-exploits-using/ta-p/296014

During these article research I have found some demo applications like JuiceShop, DVWA, etc. are available directly from OWASP community with great documentation and reference links.

But for OWASP API security I didn't find any demo application which can showcase all/most of the top 10 exploit scenarios. So I personally feel it's good to have some API demo application with doc which can be taken as reference.

If any demo app is already available let me know so we can explore and dig more into it.

llegaz commented 1 year ago

https://github.com/OWASP/crAPI

janibashamd commented 1 year ago

Yes i have seen crAPI but faced issues in finding the solutions for some of those challenges. Even solution file has only some of them.

I have checked https://github.com/erev0s/VAmPI but it doesn't show which endpoint is part of which vulnerability.

If we can have demo application for next coming top 10 with good docs, challenges and solutions will be great for new users.

PauloASilva commented 1 year ago

Hi @janibashamd, Consider checking these resources:

I would also like to suggest you to search crAPI issues and if required open a new issue suggesting documentation improvements. Maybe you'll even find the time to help crAPI team to do that ;)

Cheers, Paulo A. Silva

ErezYalon commented 1 year ago

You can also check out c{api}tal which was created as a CTF for DEF CON. *For the purpose of full disclosure, this project was created by my employer.

Ankita28g commented 1 year ago

+1 here. I am also struggling to find a demo application with all API top 10 risks. We have seen all the above. Juiceshop is the best one we have been relying on. @bkimminich

bkimminich commented 1 year ago

Feel free to suggest concrete new challenges via https://github.com/juice-shop/juice-shop/issues/new?assignees=&labels=challenge&template=challenge-idea.md&title=%5B%E2%AD%90%5D+, I'd be happy to have more API challenges in Juice Shop. We do cover quite a lot already, though.