VAmPI (The Vulnerable API) is an intentionally vulnerable API designed to help security professionals and developers learn about API security risks. It simulates real-world API security flaws, including:
Broken Object Level Authorization (BOLA)
Broken User Authentication
Excessive Data Exposure
Security Misconfigurations
Injection Attacks
VAmPI provides a hands-on environment for practicing API security testing, exploiting vulnerabilities, and learning how to secure APIs effectively. It's useful for penetration testers, security engineers, and developers looking to improve their API security skills.
First we will need to setup VAmPI as described here: https://github.com/erev0s/VAmPI
Or just use prebuilt docker images:
docker run -p 5000:5000 erev0s/vampi:latestThe setup postman collection will initialize VAmPI's database and add some users to it
Option 1: Import the "vampi setup.postman_collection.json" to your postman workspace and run it
Option 2: Use postman's CLI "newman"
If you don't have Pynt's CLI installed, install it using:
Linux:
python3 -m pip install pyntcli
Windows:
python -m pip install pyntcli
Run Pynt with VAmPI postman collection:
Q: Why am I not seeing the same results when using the official VAmPI collection?
A: Deliberately vulnerable applications like VAmPI can sometimes be too broken to accurately represent real-world scenarios. For example, the official VAmPI collection sends unauthenticated requests to sensitive endpoints, such as debug and user details. Since these endpoints respond without authentication, Pynt’s analysis engine assumes the data is intentionally public and skips authorization testing (e.g., BOLA) for them.
This behavior is by design to avoid false positives on endpoints that appear to be publicly accessible.
Last updated
newman run "vampi setup.postman_collection.json"pynt newman --collection VAmPI_Test.postman_collection.json