Software Requirements

Specification
For

DVAPI: A Damn Vulnerable Web API Application

Prepared by

Specialization Enroll. No. SAP ID Name

Sem-6, B.Tech. CSE
R2142201446 500084940 Purujeet Singh
(CSF B-3)
Sem-6, B.Tech. CSE
R2142201439 500084879 Vaibhav Tomar
(CSF B-3)

School Of Computer Science

UNIVERSITY OF PETROLEUM & ENERGY STUDIES,
Dehradun- 248007. Uttarakhand

April 2023

Prof. Keshav Kaushik Dr. Neelu Jyoti Ahuja

Assistant Professor (SS), Professor & Head,
School of Computer Science Systemics Cluster
Project Mentor Cluster Head
 Table of Contents
Topic Page
No
Table of Content
1 Introduction 1
1.1 Purpose of the Project 2
1.2 Target Beneficiary 2
1.3 Project Scope 2
2 Project Description 3
2.1 Methodology 3
2.2 Endpoints/Vulnerabilities 4
2.3 SWOT Analysis 4-5
2.4 Project Features 6
2.5 Design and Implementation Constraints 6-7
2.6 Design diagrams 7

3 System Requirements 8
3.1 Hardware Requirements 8
3.2 Software Requirements 8

4 Non-functional Requirements 9

4.1 Security Requirements 9

4.2 Development Environment 9
4.3 Software Quality Attributes 9-10

Appendix A: Glossary 11
Key Bibliography 12
1. INTRODUCTION

The Damn Vulnerable API (DVAPI) project is an initiative aimed at providing a practical and
hands-on learning platform for API security testing. The project's primary objective is to
create a deliberately vulnerable RESTful API that simulates real-world scenarios where APIs
are vulnerable to attacks. The DVAPI project is open-source, allowing users to download and
run it locally for testing and learning purposes. The project includes multiple API endpoints
that are intentionally designed with various security flaws such as SQL injection, cross-site
scripting, broken authentication and authorization, and many more.

Benefits:
The DVAPI project provides a wide range of benefits to security enthusiasts, software
developers, and penetration testers. By using DVAPI, users can gain practical knowledge and
hands-on experience in identifying, exploiting, and mitigating common API security
vulnerabilities. The project's focus on RESTful APIs, a crucial component of modern
software systems, helps users understand the security implications of these APIs.

Services:
The DVAPI project provides several services to users, including:

Realistic and Practical Learning Platform: The project simulates real-world scenarios where
APIs are vulnerable to attacks, providing a realistic and practical learning environment for
API security testing.

Open-source Platform: The project is open-source, allowing users to download and run it
locally for testing and learning purposes.

Multiple API Endpoints: The project includes multiple API endpoints that are intentionally
designed with various security flaws such as SQL injection, cross-site scripting, broken
authentication and authorization, and many more.

Guidance and Documentation: The project provides guidance and documentation on the
vulnerabilities and how to exploit them, making it an excellent resource for beginners and
advanced users alike.

Hands-on Experience: By using DVAPI, users can gain practical knowledge and hands-on
experience in identifying, exploiting, and mitigating common API security vulnerabilities.
where it is processed and analyzed.

1.1 Purpose of the Project

The DVAPI project aims to provide a web-based platform for individuals to learn about API
security vulnerabilities and best practices to prevent cyberattacks. The project offers practical
challenges and simulations to teach users about common API security issues and improve
their skills. The purpose of this project is to promote awareness of API security and provide a
safe and engaging environment for users to learn and practice their skills.

1.2 Target Beneficiary

This project targets individuals interested in learning about API security vulnerabilities and
best practices, such as developers, security professionals, and students. Through practical
challenges and simulations, the project offers a safe and engaging learning environment to
reduce the risk of data breaches and improve overall security posture.

1.3 Project Scope

The project scope for the API security training platform includes the development of a web-
based application that provides a series of practical challenges and simulations designed to
teach users about API security vulnerabilities and best practices for prevention. The platform
will focus on a variety of common API security issues such as authentication and
authorization and injection attacks. The challenges and simulations will be interactive and
will require users to apply their knowledge to identify and exploit vulnerabilities or prevent
attacks. The platform will also provide guidance to users to help them learn and improve their
skills. The project will involve designing and implementing the web application, creating
challenges and simulations, and testing and refining the platform to ensure its effectiveness
and usability. The project scope does not include the development of a comprehensive API
security testing tool.
2. PROJECT DESCRIPTION

2.1 Methodology

1. User Access to Welcome Page: The user will access the welcome page of the DVAPI
web application, which serves as the entry point for the application. This page
provides an overview of the DVAPI web application and its purpose.

2. Navigation to Challenges Section: Once the user is familiar with the DVAPI web
application, they can navigate to the challenges section. This section contains all the
challenges available for the user to attempt. It may include a list or grid of challenges,
categorized based on their difficulty level or type of vulnerability.
3. Accessing Challenge Page: When the user selects a specific challenge, they will be
navigated to the challenge page. This page provides details about the specific
vulnerability being targeted in the challenge, including a description of the
vulnerability, instructions on how to proceed, and options for flag submission. If the
user is stuck, a write-up may also be available, providing additional guidance.
4. Challenge Navigation: After reviewing the challenge details, the user can click on the
challenge navigation button to proceed to the challenge playground. This is the area
where the user will interact with the DVAPI web application and attempt to exploit
the vulnerability to acquire the flag. The challenge playground may provide a
simulated environment or scenario where the user can perform appropriate steps to
exploit the vulnerability.
5. Flag Submission: Once the user believes they have successfully exploited the
vulnerability and acquired the flag, they can submit the flag through the provided flag
submission mechanism. This may involve submitting a code, text, or other form of
proof that indicates the successful completion of the challenge.
6. Challenge Write-up: If the user is unable to solve the challenge, they may refer to the
challenge write-up, which provides a step-by-step guide or hints on how to proceed.
The write-up may contain technical details, code snippets, or other technical
information to help the user understand the vulnerability and how to exploit it.
2.2 Endpoints/Vulnerabilities

1. Broken Object Level Authorization – Object IDs exposed, leading to a Level

Access Control issue.
2. Broken User Authentication – Incorrect authentication implementation leads to
identity compromise.
3. Excessive Data Exposure – Unnecessary object property exposure creates security
risks.
4. Lack of Resources & Rate Limiting – Unrestricted access to resources impacts
server performance and leads to authentication flaws.
5. Broken Function Level Authorization – Flaws in access control policies allow
attackers to access resources and/or administrative functions.
6. Mass Assignment – Binding client data without filtering properties leads to
unauthorized object property modification.
7. Security Misconfiguration – Default/incomplete configurations and open cloud
storage lead to security flaws.
8. Injection – Untrusted data sent to interpreters can lead to unauthorized access and
execution of unintended commands.
9. Improper Assets Management – Improperly documented and deployed API
versions lead to deprecated versions and exposed debug endpoints.
10. Insufficient Logging & Monitoring – Lack of monitoring and integration with
incident response allows attackers to further attack systems.

2.3 SWOT Analysis

Strengths:
 Unique project: The DVAPI project provides a unique learning opportunity for
developers to understand and practice the vulnerabilities associated with APIs. There
are very few similar resources available online.
 Engaging and interactive: The project provides a practical playground for developers
to try and exploit the vulnerabilities, making it an engaging and interactive
 experience.
 Increased awareness: The project can help raise awareness among developers and
organizations about the importance of securing their APIs, which can ultimately lead
to a safer digital environment.

Weaknesses:
 Limited scope: The project only covers a limited number of vulnerabilities and does
not provide an exhaustive list of all possible API vulnerabilities.
 May encourage unethical behavior: The project may encourage individuals to use the
knowledge gained for unethical purposes, such as hacking or exploiting real-world
APIs.
 Limited resources: The project may require significant resources to maintain and
update regularly, which may be a challenge for individuals or organizations with
limited resources.

Opportunities:
 Collaboration: The project can create opportunities for collaboration between
developers and organizations to develop more secure APIs and improve overall API
security.
 Expansion: The project can be expanded to include additional vulnerabilities and
more advanced challenges, making it a more comprehensive resource for developers.
 Potential revenue stream: The project can potentially generate revenue through
offering additional features or services such as certification or training.

Threats:
 Security concerns: As the project involves demonstrating and exploiting
vulnerabilities, there is a risk of attackers using the same knowledge to exploit real-
world APIs.
 Legal issues: The project may face legal issues related to hacking or unauthorized
access to computer systems, which may lead to legal challenges or lawsuits.
 Competition: The project may face competition from similar resources that provide
similar training or educational opportunities for developers.
2.4 Project Features

1. Vulnerability showcase: A section of the website that details common vulnerabilities

found in APIs, along with descriptions and examples of each vulnerability.
2. Practice playground: A section of the website that allows users to practice exploiting
vulnerabilities in a safe environment. This could include challenges or simulations
that test users' ability to identify and exploit different types of vulnerabilities.
3. User progress tracking: The website will allow users to track their progress as they
complete challenges or learn about different vulnerabilities. This could help motivate
users to continue learning and improving their skills.
4. Real-world case studies: The website could feature real-world examples of API
vulnerabilities and their impact on companies and users. This could help users
understand the importance of securing APIs and the potential consequences of failing
to do so.
5. Solutions section: Every vulnerability would have a solutions tab which would
contain the step-wise procedure to solve the challenge in focus.
6. Continuous updates: The project could be regularly updated with new vulnerabilities,
challenges, and educational resources to keep users engaged and up-to-date with the
latest trends in API security.

2.5 Design and Implementation Constraints

1. Time Constraints: The project needs to be completed within a certain timeframe, and
this may limit the extent to which features can be added and tested.
2. Budget Constraints: The resources available for the development and deployment of
the project may be limited, which could affect the quality and extent of the features
that can be implemented.
3. Technical Constraints: The technologies and tools used for the development of the
project may be limited by their compatibility, availability, and scalability.
4. Security Constraints: As the project involves creating and demonstrating
vulnerabilities in the API, there must be adequate measures in place to ensure that
 these vulnerabilities are not exploited by malicious actors.
5. User Constraints: The project should be user-friendly and accessible to a wide range
of users, including those with limited technical expertise.
6. Compatibility Constraints: The project should be compatible with different platforms,
browsers, and devices to ensure maximum usability and accessibility.

2.6 Design diagram

Figure 1(High Profile View of the project)

The DVAPI website contains sections for each vulnerability which contains a description, a
challenge and the solution tab. When the user opens the challenge and send any request
(GET/POST) the request will be sent to the remotely hosted API server which will send the
appropriate response for the respective endpoint. The user would have to find a flag in this
challenge and submit it in the vulnerability section.
3. SYSTEM REQUIREMENTS

3.1 Hardware Requirements:

The system requirements for hardware include a computer or server with sufficient
processing power, memory, and storage capacity to run the API and its associated software
components. Depending on the size and complexity of the API and the expected traffic load,
the hardware requirements may vary. Generally, a modern computer with a multi-core
processor, at least 8GB of RAM, and sufficient storage capacity is sufficient for most small to
medium-sized APIs. For larger APIs or those with high traffic loads, additional processing
power, memory, and storage capacity may be required.

3.2 Software Requirements:

The software requirements for this project include the following:

 Operating system: The API can be run on any modern operating system such as
Windows, Linux, or macOS. The choice of operating system depends on the
developer's preference and the specific needs of the API.
 Web server: A web server such as Apache, Nginx, or IIS is required to run the API.
The choice of web server depends on the developer's preference and the specific needs
of the API.
 Programming language: The API can be developed using any programming language
that supports HTTP and RESTful APIs. Popular choices include Python, Node.js,
Ruby, and Java.
 Database: A database is required to store and retrieve data for the API. The choice of
database depends on the developer's preference and the specific needs of the API.
Popular choices include MySQL, PostgreSQL, MongoDB, and Redis.
 API framework: An API framework such as Flask, Django, or Express.js is required
to develop the API. The choice of API framework depends on the developer's
preference and the specific needs of the API.
4. NON-FUNCTIONAL REQUIREMENTS

4.1 Security Requirements:

The security requirements for this project include the following:

 Authentication and authorization: The API should implement authentication and
authorization mechanisms to ensure that only authorized clients can access and
modify data.
 Encryption: The API should use encryption to secure data in transit and at rest.
 Input validation: The API should validate all input to prevent injection attacks and
other types of vulnerabilities.
 Logging and monitoring: The API should log all requests and responses and monitor
for any suspicious activity.

4.2 Development Environment:

The development environment for this project includes the following:

 Integrated Development Environment (IDE): An IDE such as PyCharm, Visual Studio
Code, or Eclipse is required to develop the API and associated software components.
 Version control: A version control system such as Git is required to manage the
source code and track changes.
 Testing framework: A testing framework such as Postman or SwaggerUI is required
to test the API and ensure that it meets the functional and non-functional
requirements.

4.3 Software Quality Attributes

1. Usability: This refers to the ease of use and understandability of the system. It
involves ensuring that the system is intuitive and requires minimal training for users
to be able to use it effectively.
2. Reliability: This refers to the ability of the system to perform its functions
consistently and reliably over a given period of time. It involves ensuring that the
system can handle errors and recover from them quickly without causing any data loss
 or system downtime.
3. Performance: This refers to the speed and efficiency of the system when processing
requests or performing tasks. It involves ensuring that the system can handle a large
number of requests and data processing without any significant lag or delay.
4. Security: This refers to the protection of the system and its data from unauthorized
access, modification, or destruction. It involves implementing measures such as
authentication, authorization, encryption, and access control to ensure that the system
and its data are secure.
5. Scalability: This refers to the ability of the system to handle an increasing amount of
load or traffic without a significant decrease in performance or reliability. It involves
designing the system in such a way that it can be easily scaled up or down as per the
changing requirements.
6. Maintainability: This refers to the ease with which the system can be maintained and
modified over its entire lifespan. It involves designing the system in such a way that it
can be easily updated, debugged, and modified without disrupting its functionality or
causing any errors.
7. Portability: This refers to the ability of the system to be deployed and run on different
platforms or environments without any significant modifications. It involves ensuring
that the system is compatible with different operating systems, programming
languages, and hardware configurations.
APPENDIX A: GLOSSARY

1. API: Application Programming Interface. A set of protocols, routines, and tools for
building software applications that define how software components should interact.
2. Authentication: The process of verifying the identity of a user or system.
3. Authorization: The process of granting or denying access to a resource based on the
identity of the user or system.
4. Endpoint: A URL that is used to access a particular function or service in an API.
5. Rate Limiting: A technique used to limit the number of requests that can be made to
an API within a certain time period.
6. REST: Representational State Transfer. A set of architectural principles used to build
web services that are scalable, flexible, and easy to maintain.
7. RESTful api: A type of API that adheres to the principles of Representational State
Transfer (REST), using HTTP requests to retrieve and manipulate data.
8. SQL Injection: A type of security exploit in which an attacker injects malicious SQL
code into a database query, allowing them to access or modify data without
authorization.
9. SSL/TLS: Secure Sockets Layer/Transport Layer Security. A protocol used to
establish secure communication channels over the internet.
10. HTTP: Hypertext Transfer Protocol, used for communication between client and
server.
11. HTTPS: HTTP Secure, a protocol for secure communication over the internet.
KEY BIBLIOGRAPHY:
[1] Vivek Thoutam, “A Study On Python Web Application Framework”, Journal of
Electronics,Computer Networking and Applied Mathematics, vol. 1, no. 01, pp. 48–55, Aug.
2021.

[2] A. K. Priyanka and S. S. Smruthi, "WebApplication Vulnerabilities:Exploitation and

Prevention," 2020 Second International Conference on Inventive Research in Computing
Applications (ICIRCA), Coimbatore, India, 2020, pp. 729-734, doi:
10.1109/ICIRCA48905.2020.9182928.

[3] A. Razzaq, A. Hur, H. F. Ahmad and M. Masood, "Cyber security: Threats, reasons,
challenges, methodologies and state of the art solutions for industrial applications," 2013
IEEE Eleventh International Symposium on Autonomous Decentralized Systems (ISADS),
Mexico City, Mexico, 2013, pp. 1-6, doi: 10.1109/ISADS.2013.6513420.

[4] R. S. Devi and M. M. Kumar, "Testing for Security Weakness of Web Applications
using Ethical Hacking," 2020 4th International Conference on Trends in Electronics and
Informatics (ICOEI)(48184), Tirunelveli, India, 2020, pp. 354-361, doi:
10.1109/ICOEI48184.2020.9143018.

[5] Salibindla, Jyothi. "Microservices API security." International Journal of

Engineering Research & Technology 7.1 (2018): 277-281.