2024

API Application Pentesting

Somnath Narote
 Table of Contents
Introduction ........................................................................................................................................................ 2
History .............................................................................................................................................................. 2
The Web Era..................................................................................................................................................... 2
Modern API ..................................................................................................................................................... 3
What is API ......................................................................................................................................................... 3
Functionality of API ......................................................................................................................................... 4
Benefits of API ................................................................................................................................................. 6
Types of API .................................................................................................................................................... 9
API Architecture .............................................................................................................................................. 10
RESTful APIs ................................................................................................................................................. 11
SOAP APIs ..................................................................................................................................................... 11
Different Architectural Types ......................................................................................................................... 12
API Penetration Testing .................................................................................................................................. 13
Testing Methods/Phases ................................................................................................................................. 13
Vulnerabilities ................................................................................................................................................ 16
Tools ............................................................................................................................................................... 16
Best Practices ................................................................................................................................................. 16
References ......................................................................................................................................................... 17
Lab Setup .......................................................................................................................................................... 17

1|Page
Introduction
The history of APIs (Application Programming Interfaces) traces back to the early days of
computing, evolving alongside the development of software systems and networks.

1. Early Days (1960s-1970s):

o APIs first emerged with the advent of time-sharing systems in the 1960s.
These systems allowed multiple users to run programs simultaneously on
large mainframe computers.
o Early APIs were primarily used to enable communication between different
software components within the same system.
2. Rise of the Web (1990s):
o With the rise of the Internet in the 1990s, APIs began to enable
communication between different systems over the web.
o In 2000, Salesforce introduced the first public API for its customer
relationship management (CRM) system, allowing third-party developers to
interact with its platform.
o Companies like eBay and Amazon not only emerged web APIs to make
products and services available online but to also enable partners and third
party resellers to extend the reach of their platforms.
3. The Web 2.0 Era (2000s):
o In the mid of 2000s a shift in the APIs landscape occurred by realizing APIs
could share an information with one another, which social media APIs of
Facebook allowed developers to access an user’s information through
sharing a profile information.
o The 2000s saw the explosion of APIs with the rise of Web 2.0. Services like
Facebook, Google, and Twitter introduced APIs to enable third-party
developers to integrate their services into external applications.
o RESTful APIs became popular due to their simplicity and use of HTTP
methods (GET, POST, etc.), helping developers create lightweight and
scalable web services.
4. Mobile and Cloud Revolution (2010s):
o The mobile revolution, fueled by the rise of smartphones and mobile apps,
increased the demand for APIs, enabling apps to interact with backend
services and databases.
o Twilio launched its API as a product in 2007 which allowed developers to
make and receive phone calls from any cloud application.
o Cloud computing services like AWS (Amazon Web Services) and Microsoft
Azure further popularized APIs, making them a fundamental part of modern
cloud infrastructure, allowing apps to scale efficiently.

2|Page
 o Developers began using APIs to connect modern devices such as camera,
thermostats, speakers, microphones and sensors to the cloud. Which
includes Fitbit, Nest, and Alexa can send and receive data, content, media
and other digital resources.
5. Modern API Economy (2020s and beyond):
o APIs are now at the core of modern digital ecosystems, supporting the "API
economy" where businesses offer APIs as products.
o Technologies like microservices, serverless computing, and GraphQL have
advanced API designs to be more flexible and efficient.

Today, APIs are crucial for integrating services, building applications, and enabling the
growth of the Internet of Things (IoT), AI, and automation platforms.

What is an API?
An API stands as Application Programming Interface, is a set of rules and protocols that
allows different software applications to communicate with each other. It defines the
methods and data formats that applications can use to interact, enabling them to request
and exchange information or services. Developers use APIs to bridge the gaps between
small, discrete chunks of code in order to create applications that are powerful, resilient,
secure, and able to meet user needs.

For example, when you use an app to check the weather, the app interacts with a remote
server via an API to get the latest weather data. The server responds with the requested
data in a format the app can understand (usually JSON or XML), and then the app displays
the information.

APIs are used in many ways:

• Web APIs allow communication between web servers and browsers (like REST APIs
or GraphQL).
• Library APIs let software access functions of libraries or frameworks.
• Operating System APIs give programs access to OS features like file systems or
network communications.

APIs can be public, allowing anyone to use them, or private, where they are restricted to
specific users or systems.

3|Page
How do APIs works?
APIs work by sharing data between applications, systems, and devices. This happens
through a request and response cycle. The request is sent to the API, which retrieves the
data and returns it to the user. Here's a high-level overview of how that process works.

1. Request Initiation
The API client is responsible for starting the conversation by sending the request to the API,
asking for specific data or services. For instance, a user might initiate an API request by
entering a search term or clicking a button. API requests may also be triggered by external
events, such as a notification from another application.
An API request will look and behave differently depending on the type of API,

The differences between these are architectural style and protocol of the way how requests
are made and handled. But it will typically include the following components.
• Endpoint: An API endpoint is a dedicated URL that provides access to a specific
resource. For instance, the /articles endpoint in a blogging app would include the
logic for processing all requests that are related to articles.
• Method: The request's method indicates the type of operation the client would like to
perform on a given resource. REST APIs are accessible through standard HTTP

4|Page
 methods, which perform common actions like retrieving, creating, updating, and
deleting data.
• Parameters: Parameters are the variables that are passed to an API endpoint to
provide specific instructions for the API to process. These parameters can be included
in the API request as part of the URL, in the query string, or in the request body. For
example, the /articles endpoint of a blogging API might accept a “topic” parameter,
which it would use to access and return articles on a specific topic.
• Request headers: Request headers are key-value pairs that provide extra details
about the request, such as its content type or authentication credentials.
• Request body: The body is the main part of the request, and it includes the actual
data that is required to create, update, or delete a resource. For instance, if you were
creating a new article in a blogging app, the request body would likely include the
article's content, title, and author.

2. Processing the Request

The API client sends the request to the API server, which is responsible for handling/routing
authentication and validating input data, and Executing logic.
• Routing: The server routes the request to the appropriate part of the system, based
on the endpoint specified.
• Authentication and Authorization: The API checks whether the request is valid and
whether the client has the necessary permissions to access the requested data or
service.
• Fetching Data or Executing Logic: The server fetches the necessary data (e.g., from
a database) or performs the desired action (like triggering a function).

3. API response
After processing the request finally, the API server sends a response to the client.
Status code: HTTP status codes are three-digit codes that indicate the outcome of an API
request. Some of the most common status codes include 200 OK, which indicates that the
server successfully returned the requested data, 201 Created, which indicates the server
successfully created a new resource, and 404 Not Found, which indicates that the server
could not find the requested resource.
• Response headers: HTTP response headers are very similar to request headers,
except they are used to provide additional information about the server's response.
• Response body: The response body includes the actual data or content the client
asked for—or an error message if something went wrong.

5|Page
What are the benefits of APIs?
APIs offer improved efficiency, security, flexibility, and the ability to innovate while
integrating diverse systems and services. They are a core building block of modern
software and web development, enabling more dynamic, scalable, and interconnected
applications.

1. Automation and Efficiency

• Faster Development: APIs allow developers to leverage existing functionality rather

than building from scratch, which speeds up the development process. For instance,
instead of writing code to handle payment processing, developers can use a
payment gateway API like Stripe.
• Automated Workflows: APIs enable automation between different services, reducing
the need for manual intervention. For example, when a customer places an order,
APIs can automatically notify the shipping service, update inventory, and send
confirmation emails.

2. Interoperability

• Seamless Integration: APIs enable different software applications, even if they are
built on different platforms, to communicate and work together. For example, a
CRM system can integrate with an email marketing platform via an API, enabling
them to share customer data.
• Cross-Platform: APIs make it easy to develop systems that work across multiple
platforms, such as web, mobile, and desktop. The same API can be consumed by
different front-ends or devices (e.g., Android, iOS, or web apps).

3. Modularity and Flexibility

• Modular System Design: APIs promote modular design by separating different

components of a system. Each service or application can focus on its core function
while using APIs to communicate with other services, allowing for better
management and scalability.
• Easier Maintenance and Updates: APIs allow for individual components to be
updated or replaced without affecting the entire system. For instance, if a company
updates its payment system, the front-end that interacts with the payment system
via an API may not require any changes.

6|Page
4. Scalability and Reusability

• Reusable Code: APIs allow developers to reuse code across multiple projects. For
example, an API developed for user authentication in one project can be reused in
other projects without any additional work.
• Scalability: APIs are designed to handle large-scale systems by distributing tasks
among different services. Cloud APIs, for example, allow applications to scale based
on user demand, efficiently handling workloads without impacting performance.

5. Security

• Controlled Access: APIs allow businesses to control who has access to their data
and services through authentication methods like API keys, OAuth tokens, or IP
restrictions. This ensures that only authorized users or systems can interact with
sensitive resources.
• Granular Permissions: APIs can provide different levels of access, allowing for more
fine-grained control. For example, certain users or systems may only have
permission to retrieve data (GET), while others may also modify or delete it (POST,
DELETE).

6. Innovation and Customization

• Innovation Enablement: APIs allow companies to open their services to third-party

developers, encouraging innovation and the creation of new apps or integrations.
For instance, many tech giants like Google, Facebook, and Twitter provide public
APIs, leading to a whole ecosystem of apps built around their services.
• Customization: APIs enable businesses to create custom solutions tailored to their
needs by integrating various third-party services and internal systems. For
example, a company might use APIs to customize its ecommerce platform by
integrating custom shipping, payment, and inventory management solutions.

7. Data Sharing and Access

• Real-Time Data Access: APIs allow applications to access real-time data, providing
up-to-date information to users or systems. For example, stock trading apps use
financial market APIs to display live prices.
• External Integration: APIs enable companies to share data and functionality with
external partners, improving collaboration and allowing for more powerful business
solutions. For instance, a travel website might use APIs to aggregate hotel, flight,
and car rental data from multiple providers in one place.

7|Page
8. Cost Savings

• Lower Development Costs: By using APIs to access existing services and

functionality, businesses can reduce the time and cost of development. They don’t
need to build everything from scratch when APIs provide a ready-made solution.
• Optimized Resource Use: APIs allow businesses to offload certain tasks to external
systems (e.g., cloud services) through API integration, reducing infrastructure costs
and enabling better use of internal resources.

9. Improved User Experience

• Personalization: APIs can help create personalized experiences for users by

integrating with services that provide user-specific data, such as recommendation
engines, geolocation services, or social media.
• Faster Time-to-Market: Since APIs allow for quicker development and integration of
services, businesses can launch new features or products faster, improving the user
experience and staying competitive.

10. Ecosystem Creation

• Third-Party Developer Ecosystem: APIs allow businesses to create ecosystems by

enabling third-party developers to build on top of their services. For instance,
companies like Apple and Google have thriving app ecosystems because they offer
APIs for developers to integrate with their platforms.
• Partnership Opportunities: APIs allow businesses to easily partner with other
companies by integrating their services. For example, food delivery apps partner
with restaurants and payment services through APIs to provide a seamless customer
experience.

Examples of Popular APIs:

• Google Maps API: Allows websites and apps to embed maps and provide location-
based services.
• Stripe API: Used for handling payments in apps or websites.
• Twitter API: Enables access to tweets, user profiles, and social interactions.
• Spotify API: Allows developers to access music data, playlists, and control playback
in their apps.

8|Page
What are the different types of APIs?
• Private APIs: Private APIs, also known as internal APIs, are used to connect different
software components within a single organization, and they are not available for
third-party use. For instance, a social media application might have a private API that
handles the login workflow, another private API that handles the feed, and yet
another private API that facilitates communication between users. Some applications
may include dozens or even hundreds of private APIs.
• Public APIs: Public APIs provide public access to an organization's data, functionality,
or services, which third-party developers can integrate into their own applications.
Some public APIs are available for free, while others are offered as billable products.
For instance, an e-commerce application may incorporate a public payment API, such
as Stripe, to handle payment processing without having to build that functionality
from scratch.
• Partner APIs: Partner APIs enable two or more companies to share data or
functionality in order to collaborate on a project. They are not available to the general
public and therefore leverage authentication mechanisms to ensure they are only
used by authorized partners.

9|Page
API Architecture
It outlines how the API is built, how it communicates with external systems, and how data
is transferred between the API and the requesting applications (clients). A well-defined API
architecture ensures that the API is scalable, secure, and easy to maintain.

API Endpoint: https://api.example.com/products

• GET: Retrieves a list of products.

• POST: Creates a new product (requires authentication).
• PUT: Updates an existing product (requires authentication).
• DELETE: Deletes a product (requires authentication).

Authentication: OAuth 2.0 is used to authenticate users making requests.

Rate Limiting: Users are limited to 100 requests per hour.

Caching: The API caches product data for 10 minutes to improve performance.

10 | P a g e
 Logging: All API requests are logged to monitor performance and detect any issues.

API architecture serves as the blueprint for designing scalable, secure, and maintainable
APIs. By following key principles such as statelessness, clear versioning, error handling,
and security practices, an API can be a powerful tool for enabling communication between
various software systems.

A RESTful API (Representational State Transfer) architecture is a design approach used to

build scalable, flexible, and easy-to-maintain web services. It follows a set of principles
and conventions that allow clients (like web browsers or mobile apps) to interact with
servers through simple HTTP requests.

1. REST Principles
REST is based on the following architectural constraints:
1. Statelessness: Each client request to the server must contain all the information
needed to understand and process the request. The server doesn’t store any client
session data between requests.
2. Client-Server Separation: The client and server are independent. The client only
knows the URI (Uniform Resource Identifier) of the requested resource, and the
server processes requests without knowing how the client will use the response.
3. Cacheability: Responses from the server can be cached to improve performance.
Responses must explicitly state whether they are cacheable or not.
4. Uniform Interface: RESTful APIs follow a consistent structure, using standard HTTP
methods (GET, POST, PUT, DELETE) and URIs to identify resources.
5. Layered System: The architecture is built in layers, with each layer responsible for
different aspects (e.g., authentication, data storage) without direct knowledge of the
layers beyond it.

SOAP (Simple Object Access Protocol) is a messaging protocol that enables programs to
communicate with each other over the internet using standardized XML messaging. SOAP
APIs follow a strict architectural approach for building and interacting with web services,
making them highly suitable for secure, transactional, and enterprise-level applications.

1. SOAP Principles
SOAP is based on the following architectural constraints:
1. XML-based Messaging Protocol: SOAP uses a strict structure for communication
between clients and servers.
2. Stateless or Stateful: SOAP can handle both stateful and stateless operations,
making it suitable for different types of applications.
3. Transport-Agnostic: SOAP can work over various protocols (HTTP, SMTP, etc.).

11 | P a g e
 4. Built-in Security: WS-Security is a key feature for handling security, encryption, and
authentication.
5. Heavyweight: SOAP is more complex and resource-intensive compared to REST but
is ideal for environments that require high security and transaction integrity.

SOAP is most appropriate for use in complex, secure, and mission-critical applications
that require well-defined standards and consistent operation across multiple platforms.

What are the most common API Architectural

styles?
1. REST
As discussed above, REST is the most popular API architecture for transferring data over the
internet. In a RESTful context, resources are accessible via endpoints, and operations are
performed on those resources with standard HTTP methods such as GET, POST, PUT, and
DELETE.

2. SOAP
SOAP, which stands for Simple Object Access Protocol, uses XML to transfer highly
structured messages between a client and server. SOAP is often used in enterprise
environments or legacy systems, and while it includes advanced security features, it can be
slower than other API architectures.

3. GraphQL
GraphQL is an open source query language that enables clients to interact with a single API
endpoint to retrieve the exact data they need, without chaining multiple requests together.
This approach reduces the number of round trips between the client and server, which can
be useful for applications that may run on slow or unreliable network connections.

4. Webhooks
Webhooks are used to implement event-driven architectures, in which requests are
automatically sent in response to event-based triggers. For instance, when a specific event
occurs in an application, such as a payment being made, the application can send an HTTP
request to a pre-configured webhook URL with the relevant event data in the request
payload. The system that receives the webhook can then process the event and take the
appropriate action.

12 | P a g e
5. gRPC
RPC stands for Remote Procedure Call, and gRPC APIs were originated by Google. In gRPC
architectures, a client can call on a server as if it were a local object, which makes it easier
for distributed applications and systems to communicate with one another.

6. MQTT
MQTT is a standards based messaging protocol or set of rules used for machine to
machine communication. Smart sensors, wearables, and other internet of things (IoT)
devices typically have to transmit and receive data over a resource-constrained network
with a limited bandwidth.

What is API Penetration Testing?

With the increasing reliance on APIs in modern applications, understanding and
performing API penetration testing is essential to safeguard sensitive data and prevent
unauthorized access.
API penetration testing is the process of simulating real-world attacks on APIs to identify
security weaknesses. The goal is to uncover vulnerabilities such as broken authentication,
lack of input validation, improper data handling, and other issues that can lead to data
breaches or unauthorized access. Penetration testers use various techniques to interact
with APIs and simulate attacks, such as sending crafted requests, bypassing
authentication, and exploiting API misconfigurations.

1. API Penetration Testing Phases

a. Information Gathering
This phase involves collecting as much information as possible about the API, its structure,
and its endpoints. Key activities include:

• Reviewing API Documentation: The first step is to obtain and review API
documentation (if available). This may include API specifications (e.g.,
OpenAPI/Swagger), authentication mechanisms, and endpoint descriptions.
• Endpoint Enumeration: Identifying all API endpoints by exploring the documentation
or using automated tools. This helps in discovering hidden or undocumented
endpoints.
• Technological Stack Analysis: Identifying the underlying technologies, such as
programming languages, frameworks, or cloud services, to better understand
potential attack vectors.

13 | P a g e
 • Parameter Analysis: Analyzing how API parameters are used (e.g., query parameters,
headers, body data) and determining which parameters are sensitive or vulnerable.

b. Authentication and Authorization Testing

APIs often require authentication, and it is critical to ensure that these mechanisms are
robust. Key activities include:

• Authentication Bypass Testing: Testing if an attacker can bypass authentication

mechanisms (e.g., by modifying tokens or sending unauthenticated requests).
• Token Manipulation: Inspecting the security of tokens (e.g., JWT, OAuth) and testing
for vulnerabilities like weak token signing algorithms, token reuse, or insufficient
expiration.
• Authorization Testing: Ensuring that user privileges are enforced correctly and that
attackers cannot access data or functionality they are not authorized for. This
involves testing for Broken Object-Level Authorization (BOLA) and Insecure Direct
Object Reference (IDOR) vulnerabilities.

c. Input Validation and Injection Testing

APIs must validate all input data to prevent injection attacks, which can lead to
unauthorized code execution, data exposure, or service disruption. Key activities include:

• SQL Injection: Testing for SQL injection vulnerabilities by manipulating input

parameters that interact with the database.
• NoSQL Injection: Testing APIs that use NoSQL databases (e.g., MongoDB) for
injection flaws.
• Command Injection: Testing if attackers can inject operating system commands
through user input.
• Cross-Site Scripting (XSS): Testing for reflected and stored XSS vulnerabilities,
where user input is returned in the response without proper sanitization.
• Cross-Site Request Forgery (CSRF): Testing whether an API is vulnerable to CSRF,
where attackers trick users into executing unwanted actions.

d. Business Logic Testing

APIs often have complex business logic that attackers can exploit. Business logic
vulnerabilities occur when the API fails to enforce correct application behavior, allowing
attackers to manipulate legitimate functions to achieve unintended results.

• Testing for Workflow Manipulation: Checking if an attacker can disrupt business

processes by manipulating API requests.
• Mass Assignment Testing: Testing if the API allows the creation or modification of
unintended object properties by submitting extra parameters in requests.

14 | P a g e
 • Rate Limiting and Throttling: Ensuring the API has mechanisms in place to prevent
abuse through excessive requests (rate limiting) and does not allow brute-force
attacks.

e. Testing for Data Exposure

APIs often handle sensitive data, so it is critical to ensure that data is adequately protected
at all times.

• Sensitive Data Exposure: Testing if sensitive information (e.g., credit card numbers,
PII, authentication tokens) is transmitted in cleartext or exposed in responses.
• Encryption Testing: Ensuring that data transmitted between the client and server is
encrypted using strong protocols (e.g., TLS 1.2 or higher).
• Data Leakage: Identifying if the API inadvertently discloses sensitive information
through error messages, debug information, or unfiltered responses.

f. Security Misconfiguration Testing

Misconfigurations in the API, server, or underlying infrastructure can create significant
security risks. Key activities include:

• CORS Misconfiguration: Testing if Cross-Origin Resource Sharing (CORS) is

configured securely to prevent unauthorized access to resources from third-party
domains.
• HTTP Method Testing: Ensuring that the API correctly restricts HTTP methods (e.g.,
GET, POST, PUT) and does not expose sensitive operations.
• API Versioning: Testing whether old or deprecated API versions are still accessible
and could be targeted by attackers.

g. Testing for Denial of Service (DoS)

Testing for DoS vulnerabilities ensures that attackers cannot overwhelm the API by sending
a flood of requests or by exploiting vulnerabilities in how the API processes data.

• Rate Limiting: Testing whether the API implements rate limiting to prevent abuse
through a large number of requests.
• Payload Size: Testing if large payloads can cause the API server to crash or degrade
performance.
• Resource Exhaustion: Testing if the API is vulnerable to resource exhaustion, such
as memory or CPU overload, through repeated requests.

15 | P a g e
h. Post-Testing and Reporting
Once testing is completed, a detailed report should be generated that outlines all findings,
including vulnerabilities, exploitation methods, and remediation recommendations. The
report typically includes:

• Executive Summary: A high-level overview of the findings, suitable for non-

technical stakeholders.
• Technical Details: A detailed explanation of each vulnerability, along with evidence
(screenshots, request/response examples) and the potential impact.
• Remediation Recommendations: Suggestions for fixing the vulnerabilities,
prioritized based on risk level.
• Re-Test Results: After remediation, a re-test may be conducted to ensure that
vulnerabilities have been successfully patched.

2. Common Vulnerabilities Found in API Penetration Testing

• Broken Object-Level Authorization (BOLA): Attackers can access or modify
resources (e.g., user data) they shouldn’t be authorized for.
• Mass Assignment: Attackers send extra parameters in requests, modifying
properties they shouldn’t be allowed to.
• Rate Limiting Bypass: Lack of rate limiting allows attackers to perform brute-force
attacks or overwhelm the API.
• Insecure Authentication and Token Management: Weak or improperly implemented
authentication and token mechanisms allow unauthorized access.
• Lack of Input Validation: APIs that fail to validate user input are vulnerable to
injection attacks, including SQL and NoSQL injection.

3. Tools for API Penetration Testing

• Postman: Widely used for API testing, allows you to send requests and analyze
responses.
• Burp Suite: A powerful tool for manual and automated API security testing,
particularly useful for intercepting and modifying API traffic.
• OWASP ZAP: Open-source tool that helps with automated vulnerability scanning of
APIs.
• SoapUI: Primarily used for testing SOAP APIs but can also be used for RESTful
services.
• JWT Tool: A specialized tool for testing JWT (JSON Web Token) vulnerabilities.

4. Best Practices for API Security

• Input Validation: Always validate input on both the client and server side.
• Use HTTPS: Ensure all communication between clients and APIs is encrypted.

16 | P a g e
 • Token-Based Authentication: Use secure token-based mechanisms (JWT, OAuth) for
authentication.
• Rate Limiting: Implement rate limiting to prevent abuse.
• Regular Security Testing: Periodically conduct security assessments to identify and
fix vulnerabilities before they are exploited.

References:
Functionality of API
• POSTMAN - https://www.postman.com/what-is-an-api/
API Architecture
• Hubspot Blog - https://blog.hubspot.com/website/api-architecture
API Pentesting
• DevSecOps - https://www.practical-devsecops.com/api-penetration-testing/
• Medium Blog - https://medium.com/@muhammad22/api-penetration-testing-api-
pentesting-c45d7e8b85cc
VamPI Lab Setup
• GitHub - https://github.com/erev0s/VAmPI

Lab Setup
We will be using Kali Linux as our operating system with tools like Postman, Burp Suite. You
may use any operating system that you would like, but the tools and techniques of this
tutorial will be demonstrated using Kali.

Vulnerable API lab (VAmPI):

Download Links - https://github.com/erev0s/VAmPI

Installation Steps:

1. Search VAmPI github on Google

17 | P a g e
Click on the 1st VAmPI GitHub link to open,

URL: https://github.com/erev0s/VAmPI.git

Copy the URL to clone it on your GitHub repository.

Steps:

Install a Hypervisor
Basically is a virtual machine which lets you to use another operating system on top the
current installed OS in your system.
Link to download and install VMware virtual box

URL: https://www.vmware.com/go/getplayer-win
You will see this type of UI once installed,

18 | P a g e
Install Kali Linux

Download and Install Kali VMware

URL: https://www.kali.org/get-kali/#kali-virtual-machines
Kali Linux is an open-source, Dabian based Linux distribution used for various Information
security tasks such as Penetration Testing, Computer Forensics, Security Research, and
Reverse Engineering.
Also Kali Linux used for the purpose of Ethical Hacking and Network Security assessments.

To clone the VAmPI lab, run the following command in your root user,

cmd: # git clone https://github.com/erev0s/VAmPI.git

19 | P a g e
Once the Vulnerable API (VAmPI) repository cloned we have to perform few more steps to
complete the Lab setup.

So to setup a VAmPI lab, initially we have to install a requirements inside a VAmPI folder,

cmd: # pip install –r requirements.txt

Once the installation is done we can execute a command to setup a lab with the help of
python,

cmd: # python3 app.py

20 | P a g e
As soon as we hit the enter we get the url for Kali machine as well as for windows
machine,

To verify the completion of lab setup copy the url and open it on the browser

We have verified the URL, now we can configure it in the web application in a browser.

POSTMAN

Postman is an API platform for building and using APIs, Also with help of Postman tool we
can pentest the APIs to confirm that an API is working as expected.

From the VAmPI lab copy below code,

21 | P a g e
Once copied to the notepad and replace the

{{baseurl}} → API url(http://10.0.2.15:5000)

And save it with json file format.

We can import this file in a postman to test the API url,

22 | P a g e
Once the VAmPI lab or repository imported to postman we can verify the url by running
any request available at right hand side.

This way we can test API in postman.

Now to capture the request in Burpsuit, we have to enable the custom proxy setting in the
postman with below details. If this is disabled the request will be sent

23 | P a g e
Burp Suit

Burp Suit is an integrated platform for performing security testing of web application,
vulnerability scanning and penetration testing. It supports the entire testing process from
initial mapping and analysis of an application's attack surface, through to finding and
exploiting security vulnerabilities.
This is how the UI will look a like,

In Burp Suit we have to put intercept on then the request will get captured,

24 | P a g e
In this way all the API call or request will be captured in Burp Suit and Postman to perform
the vulnerability scanning and penetration testing for the web application security.

25 | P a g e