Pynt vs VAmPI
VAmPI (The Vulnerable API) is an intentionally vulnerable API designed to help security professionals and developers learn about API security risks. It simulates real-world API security flaws, including:
Broken Object Level Authorization (BOLA)
Broken User Authentication
Excessive Data Exposure
Security Misconfigurations
Injection Attacks
VAmPI provides a hands-on environment for practicing API security testing, exploiting vulnerabilities, and learning how to secure APIs effectively. It's useful for penetration testers, security engineers, and developers looking to improve their API security skills.
How to scan VAmPI with Pynt ?
Step 1: Install VAmPI
First we will need to setup VAmPI as described here: https://github.com/erev0s/VAmPI
Or just use prebuilt docker images:
docker run -p 5000:5000 erev0s/vampi:latest
Step 2: Download the below Postman collections
Step 3: Run the setup collection
The setup postman collection will initialize VAmPI's database and add some users to it
Option 1: Import the "vampi setup.postman_collection.json" to your postman workspace and run it
Option 2: Use postman's CLI "newman"
newman run "vampi setup.postman_collection.json"
Step 4: Install Pynt CLI
If you don't have Pynt's CLI installed, install it using:
Linux:
python3 -m pip install pyntcli
Windows:
python -m pip install pyntcli
Step 5: Run the scan
Run Pynt with VAmPI postman collection:
pynt newman --collection VAmPI_Test.postman_collection.json
FAQ
Q: Why am I not seeing the same results when using the official VAmPI collection?
A: Deliberately vulnerable applications like VAmPI can sometimes be too broken to accurately represent real-world scenarios. For example, the official VAmPI collection sends unauthenticated requests to sensitive endpoints, such as debug and user details. Since these endpoints respond without authentication, Pynt’s analysis engine assumes the data is intentionally public and skips authorization testing (e.g., BOLA) for them.
This behavior is by design to avoid false positives on endpoints that appear to be publicly accessible.
Last updated