Pynt vs VAmPI

VAmPI (The Vulnerable API) is an intentionally vulnerable API designed to help security professionals and developers learn about API security risks. It simulates real-world API security flaws, including:

  • Broken Object Level Authorization (BOLA)

  • Broken User Authentication

  • Excessive Data Exposure

  • Security Misconfigurations

  • Injection Attacks

VAmPI provides a hands-on environment for practicing API security testing, exploiting vulnerabilities, and learning how to secure APIs effectively. It's useful for penetration testers, security engineers, and developers looking to improve their API security skills.

How to scan VAmPI with Pynt ?

Step 1: Install VAmPI

First we will need to setup VAmPI as described here: https://github.com/erev0s/VAmPI

Or just use prebuilt docker images:

docker run -p 5000:5000 erev0s/vampi:latest

Step 2: Download the below Postman collections

Step 3: Run the setup collection

The setup postman collection will initialize VAmPI's database and add some users to it

Option 1: Import the "vampi setup.postman_collection.json" to your postman workspace and run it

Option 2: Use postman's CLI "newman"

newman run "vampi setup.postman_collection.json"

Step 4: Install Pynt CLI

If you don't have Pynt's CLI installed, install it using:

Linux:

python3 -m pip install pyntcli

Windows:

python -m pip install pyntcli

Step 5: Run the scan

Run Pynt with VAmPI postman collection:

pynt newman --collection VAmPI_Test.postman_collection.json 

FAQ

Q: Why am I not seeing the same results when using the official VAmPI collection?

A: Deliberately vulnerable applications like VAmPI can sometimes be too broken to accurately represent real-world scenarios. For example, the official VAmPI collection sends unauthenticated requests to sensitive endpoints, such as debug and user details. Since these endpoints respond without authentication, Pynt’s analysis engine assumes the data is intentionally public and skips authorization testing (e.g., BOLA) for them.

This behavior is by design to avoid false positives on endpoints that appear to be publicly accessible.

Last updated