Dvapi SRS
Dvapi SRS
Specification
For
Prepared by
April 2023
3 System Requirements 8
3.1 Hardware Requirements 8
3.2 Software Requirements 8
4 Non-functional Requirements 9
Appendix A: Glossary 11
Key Bibliography 12
1. INTRODUCTION
The Damn Vulnerable API (DVAPI) project is an initiative aimed at providing a practical and
hands-on learning platform for API security testing. The project's primary objective is to
create a deliberately vulnerable RESTful API that simulates real-world scenarios where APIs
are vulnerable to attacks. The DVAPI project is open-source, allowing users to download and
run it locally for testing and learning purposes. The project includes multiple API endpoints
that are intentionally designed with various security flaws such as SQL injection, cross-site
scripting, broken authentication and authorization, and many more.
Benefits:
The DVAPI project provides a wide range of benefits to security enthusiasts, software
developers, and penetration testers. By using DVAPI, users can gain practical knowledge and
hands-on experience in identifying, exploiting, and mitigating common API security
vulnerabilities. The project's focus on RESTful APIs, a crucial component of modern
software systems, helps users understand the security implications of these APIs.
Services:
The DVAPI project provides several services to users, including:
Realistic and Practical Learning Platform: The project simulates real-world scenarios where
APIs are vulnerable to attacks, providing a realistic and practical learning environment for
API security testing.
Open-source Platform: The project is open-source, allowing users to download and run it
locally for testing and learning purposes.
Multiple API Endpoints: The project includes multiple API endpoints that are intentionally
designed with various security flaws such as SQL injection, cross-site scripting, broken
authentication and authorization, and many more.
Guidance and Documentation: The project provides guidance and documentation on the
vulnerabilities and how to exploit them, making it an excellent resource for beginners and
advanced users alike.
Hands-on Experience: By using DVAPI, users can gain practical knowledge and hands-on
experience in identifying, exploiting, and mitigating common API security vulnerabilities.
where it is processed and analyzed.
The DVAPI project aims to provide a web-based platform for individuals to learn about API
security vulnerabilities and best practices to prevent cyberattacks. The project offers practical
challenges and simulations to teach users about common API security issues and improve
their skills. The purpose of this project is to promote awareness of API security and provide a
safe and engaging environment for users to learn and practice their skills.
This project targets individuals interested in learning about API security vulnerabilities and
best practices, such as developers, security professionals, and students. Through practical
challenges and simulations, the project offers a safe and engaging learning environment to
reduce the risk of data breaches and improve overall security posture.
The project scope for the API security training platform includes the development of a web-
based application that provides a series of practical challenges and simulations designed to
teach users about API security vulnerabilities and best practices for prevention. The platform
will focus on a variety of common API security issues such as authentication and
authorization and injection attacks. The challenges and simulations will be interactive and
will require users to apply their knowledge to identify and exploit vulnerabilities or prevent
attacks. The platform will also provide guidance to users to help them learn and improve their
skills. The project will involve designing and implementing the web application, creating
challenges and simulations, and testing and refining the platform to ensure its effectiveness
and usability. The project scope does not include the development of a comprehensive API
security testing tool.
2. PROJECT DESCRIPTION
2.1 Methodology
1. User Access to Welcome Page: The user will access the welcome page of the DVAPI
web application, which serves as the entry point for the application. This page
provides an overview of the DVAPI web application and its purpose.
2. Navigation to Challenges Section: Once the user is familiar with the DVAPI web
application, they can navigate to the challenges section. This section contains all the
challenges available for the user to attempt. It may include a list or grid of challenges,
categorized based on their difficulty level or type of vulnerability.
3. Accessing Challenge Page: When the user selects a specific challenge, they will be
navigated to the challenge page. This page provides details about the specific
vulnerability being targeted in the challenge, including a description of the
vulnerability, instructions on how to proceed, and options for flag submission. If the
user is stuck, a write-up may also be available, providing additional guidance.
4. Challenge Navigation: After reviewing the challenge details, the user can click on the
challenge navigation button to proceed to the challenge playground. This is the area
where the user will interact with the DVAPI web application and attempt to exploit
the vulnerability to acquire the flag. The challenge playground may provide a
simulated environment or scenario where the user can perform appropriate steps to
exploit the vulnerability.
5. Flag Submission: Once the user believes they have successfully exploited the
vulnerability and acquired the flag, they can submit the flag through the provided flag
submission mechanism. This may involve submitting a code, text, or other form of
proof that indicates the successful completion of the challenge.
6. Challenge Write-up: If the user is unable to solve the challenge, they may refer to the
challenge write-up, which provides a step-by-step guide or hints on how to proceed.
The write-up may contain technical details, code snippets, or other technical
information to help the user understand the vulnerability and how to exploit it.
2.2 Endpoints/Vulnerabilities
Strengths:
Unique project: The DVAPI project provides a unique learning opportunity for
developers to understand and practice the vulnerabilities associated with APIs. There
are very few similar resources available online.
Engaging and interactive: The project provides a practical playground for developers
to try and exploit the vulnerabilities, making it an engaging and interactive
experience.
Increased awareness: The project can help raise awareness among developers and
organizations about the importance of securing their APIs, which can ultimately lead
to a safer digital environment.
Weaknesses:
Limited scope: The project only covers a limited number of vulnerabilities and does
not provide an exhaustive list of all possible API vulnerabilities.
May encourage unethical behavior: The project may encourage individuals to use the
knowledge gained for unethical purposes, such as hacking or exploiting real-world
APIs.
Limited resources: The project may require significant resources to maintain and
update regularly, which may be a challenge for individuals or organizations with
limited resources.
Opportunities:
Collaboration: The project can create opportunities for collaboration between
developers and organizations to develop more secure APIs and improve overall API
security.
Expansion: The project can be expanded to include additional vulnerabilities and
more advanced challenges, making it a more comprehensive resource for developers.
Potential revenue stream: The project can potentially generate revenue through
offering additional features or services such as certification or training.
Threats:
Security concerns: As the project involves demonstrating and exploiting
vulnerabilities, there is a risk of attackers using the same knowledge to exploit real-
world APIs.
Legal issues: The project may face legal issues related to hacking or unauthorized
access to computer systems, which may lead to legal challenges or lawsuits.
Competition: The project may face competition from similar resources that provide
similar training or educational opportunities for developers.
2.4 Project Features
1. Time Constraints: The project needs to be completed within a certain timeframe, and
this may limit the extent to which features can be added and tested.
2. Budget Constraints: The resources available for the development and deployment of
the project may be limited, which could affect the quality and extent of the features
that can be implemented.
3. Technical Constraints: The technologies and tools used for the development of the
project may be limited by their compatibility, availability, and scalability.
4. Security Constraints: As the project involves creating and demonstrating
vulnerabilities in the API, there must be adequate measures in place to ensure that
these vulnerabilities are not exploited by malicious actors.
5. User Constraints: The project should be user-friendly and accessible to a wide range
of users, including those with limited technical expertise.
6. Compatibility Constraints: The project should be compatible with different platforms,
browsers, and devices to ensure maximum usability and accessibility.
The DVAPI website contains sections for each vulnerability which contains a description, a
challenge and the solution tab. When the user opens the challenge and send any request
(GET/POST) the request will be sent to the remotely hosted API server which will send the
appropriate response for the respective endpoint. The user would have to find a flag in this
challenge and submit it in the vulnerability section.
3. SYSTEM REQUIREMENTS
The system requirements for hardware include a computer or server with sufficient
processing power, memory, and storage capacity to run the API and its associated software
components. Depending on the size and complexity of the API and the expected traffic load,
the hardware requirements may vary. Generally, a modern computer with a multi-core
processor, at least 8GB of RAM, and sufficient storage capacity is sufficient for most small to
medium-sized APIs. For larger APIs or those with high traffic loads, additional processing
power, memory, and storage capacity may be required.
1. Usability: This refers to the ease of use and understandability of the system. It
involves ensuring that the system is intuitive and requires minimal training for users
to be able to use it effectively.
2. Reliability: This refers to the ability of the system to perform its functions
consistently and reliably over a given period of time. It involves ensuring that the
system can handle errors and recover from them quickly without causing any data loss
or system downtime.
3. Performance: This refers to the speed and efficiency of the system when processing
requests or performing tasks. It involves ensuring that the system can handle a large
number of requests and data processing without any significant lag or delay.
4. Security: This refers to the protection of the system and its data from unauthorized
access, modification, or destruction. It involves implementing measures such as
authentication, authorization, encryption, and access control to ensure that the system
and its data are secure.
5. Scalability: This refers to the ability of the system to handle an increasing amount of
load or traffic without a significant decrease in performance or reliability. It involves
designing the system in such a way that it can be easily scaled up or down as per the
changing requirements.
6. Maintainability: This refers to the ease with which the system can be maintained and
modified over its entire lifespan. It involves designing the system in such a way that it
can be easily updated, debugged, and modified without disrupting its functionality or
causing any errors.
7. Portability: This refers to the ability of the system to be deployed and run on different
platforms or environments without any significant modifications. It involves ensuring
that the system is compatible with different operating systems, programming
languages, and hardware configurations.
APPENDIX A: GLOSSARY
1. API: Application Programming Interface. A set of protocols, routines, and tools for
building software applications that define how software components should interact.
2. Authentication: The process of verifying the identity of a user or system.
3. Authorization: The process of granting or denying access to a resource based on the
identity of the user or system.
4. Endpoint: A URL that is used to access a particular function or service in an API.
5. Rate Limiting: A technique used to limit the number of requests that can be made to
an API within a certain time period.
6. REST: Representational State Transfer. A set of architectural principles used to build
web services that are scalable, flexible, and easy to maintain.
7. RESTful api: A type of API that adheres to the principles of Representational State
Transfer (REST), using HTTP requests to retrieve and manipulate data.
8. SQL Injection: A type of security exploit in which an attacker injects malicious SQL
code into a database query, allowing them to access or modify data without
authorization.
9. SSL/TLS: Secure Sockets Layer/Transport Layer Security. A protocol used to
establish secure communication channels over the internet.
10. HTTP: Hypertext Transfer Protocol, used for communication between client and
server.
11. HTTPS: HTTP Secure, a protocol for secure communication over the internet.
KEY BIBLIOGRAPHY:
[1] Vivek Thoutam, “A Study On Python Web Application Framework”, Journal of
Electronics,Computer Networking and Applied Mathematics, vol. 1, no. 01, pp. 48–55, Aug.
2021.
[3] A. Razzaq, A. Hur, H. F. Ahmad and M. Masood, "Cyber security: Threats, reasons,
challenges, methodologies and state of the art solutions for industrial applications," 2013
IEEE Eleventh International Symposium on Autonomous Decentralized Systems (ISADS),
Mexico City, Mexico, 2013, pp. 1-6, doi: 10.1109/ISADS.2013.6513420.
[4] R. S. Devi and M. M. Kumar, "Testing for Security Weakness of Web Applications
using Ethical Hacking," 2020 4th International Conference on Trends in Electronics and
Informatics (ICOEI)(48184), Tirunelveli, India, 2020, pp. 354-361, doi:
10.1109/ICOEI48184.2020.9143018.