• Stars
    star
    268
  • Rank 153,144 (Top 4 %)
  • Language
    CSS
  • License
    GNU Affero Genera...
  • Created over 2 years ago
  • Updated 8 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A built-to-be-vulnerable API application based on the OWASP top 10 API vulnerabilities. Use c{api}tal to learn, train and exploit API Security vulnerabilities within your own API Security CTF.

API Security Top 10 Vulnerable license

Quick facts

  • Name: 'c{api}tal'
  • Type: Vulnerable API Security application
  • Purpose: Educational
  • License: GNU AFFERO GENERAL PUBLIC LICENSE
  • Language: Python, JS
  • Author: Checkmarx Research team

Description

The Checkmarx research team created c{api}tal to provide users with an active playground in which they hone their API Security skills.
The c{api}tal application contains 10 API challenges which map to the OWASP top 10 API risks.
It is built with Python (FastAPI) and JS (React).

c{api}tal can also be used for conducting your own API Security CTF event.

Visit capital-ctf.com to learn about the vulnerabilities and the challenges.

Features:

Contains 10 challenges based on the OWASP top 10 API risks

  • Built on FastAPI (backend) and React (frontend)
  • UI - Blogging website (i.e medium)
  • OpenAPI3 API JSON specification file that can be imported as a POSTMAN collection
  • JWT token based authentication (lifetime can be adjusted in app)

c{api}tal is a blogging application which allow users to register, create and delete posts, create and delete comments, follow other users, and more.

Quickstart

Run the full application using docker-compose:

docker-compose up -d

The backend will be running on http://localhost:8000/
The frontend will be running on http://localhost:4100/
Check out the API endpoints specification page at http://localhost:8000/docs

Generate API requests to http://localhost:8000/api (via POSTMAN/Burp for example)
Import the API collection JSON file to POSTMAN and start generating API requests:
click here to download the c{api}tal API json collection file

To run the web application in debug:

First, run PostgreSQL, set environment variables and create database:

export POSTGRES_DB=rwdb POSTGRES_PORT=5432 POSTGRES_USER=postgres POSTGRES_PASSWORD=postgres
docker run --name pgdb --rm -p 5432:5432 -e POSTGRES_USER="$POSTGRES_USER" -e POSTGRES_PASSWORD="$POSTGRES_PASSWORD" -e POSTGRES_DB="$POSTGRES_DB" postgres
export POSTGRES_HOST=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' pgdb)
createdb --host=$POSTGRES_HOST --port=$POSTGRES_PORT --username=$POSTGRES_USER $POSTGRES_DB

[Option 1] Run locally

Then run the following commands to bootstrap your environment:

git clone https://github.com/Checkmarx/capital
cd capital
pip install -r requirements.txt

Then create .env file in project root and set environment variables for application:

export POSTGRES_DB=rwdb POSTGRES_PORT=5432 POSTGRES_USER=postgres POSTGRES_PASSWORD=postgres
export POSTGRES_HOST=localhost
export DATABASE_URL=postgresql://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB
touch .env
echo APP_ENV=dev
echo DATABASE_URL=postgresql://$POSTGRES_USER:$POSTGRES_PASSWORD@$POSTGRES_HOST:$POSTGRES_PORT/$POSTGRES_DB >> .env
echo SECRET_KEY=$(openssl rand -hex 32) >> .env

Then run the backend server:

python3 
.py

[Option 2] Run backend using docker Run the backend using docker build:

docker build . -t capital
docker run -p 8000:8000  -e DATABASE_URL=postgresql://postgres:[email protected]:5432/rwdb --rm --name backend-capital capital

Run tests

Tests for this project are defined in the tests/ folder.

Set up environment variable DATABASE_URL or set up database_url in app/core/settings/test.py

This project uses pytest <https://docs.pytest.org/>_ to define tests because it allows you to use the assert keyword with good formatting for failed assertations.

To run all the tests of a project, simply run the pytest command: ::

$ pytest
================================================= test session starts ==================================================
platform linux -- Python 3.8.3, pytest-5.4.2, py-1.8.1, pluggy-0.13.1
rootdir: /home/some-user/user-projects/fastapi-realworld-example-app, inifile: setup.cfg, testpaths: tests
plugins: env-0.6.2, cov-2.9.0, asyncio-0.12.0
collected 90 items

tests/test_api/test_errors/test_422_error.py .                                                                   [  1%]
tests/test_api/test_errors/test_error.py .                                                                       [  2%]
tests/test_api/test_routes/test_articles.py .................................                                    [ 38%]
tests/test_api/test_routes/test_authentication.py ..                                                             [ 41%]
tests/test_api/test_routes/test_comments.py ....                                                                 [ 45%]
tests/test_api/test_routes/test_login.py ...                                                                     [ 48%]
tests/test_api/test_routes/test_profiles.py ............                                                         [ 62%]
tests/test_api/test_routes/test_registration.py ...                                                              [ 65%]
tests/test_api/test_routes/test_tags.py ..                                                                       [ 67%]
tests/test_api/test_routes/test_users.py ....................                                                    [ 90%]
tests/test_db/test_queries/test_tables.py ...                                                                    [ 93%]
tests/test_schemas/test_rw_model.py .                                                                            [ 94%]
tests/test_services/test_jwt.py .....                                                                            [100%]

============================================ 90 passed in 70.50s (0:01:10) =============================================
$

If you want to run a specific test, you can do this with this <https://docs.pytest.org/en/latest/usage.html#specifying-tests-selecting-tests>_ pytest feature: ::

$ pytest tests/test_api/test_routes/test_users.py::test_user_can_not_take_already_used_credentials

Web routes

All routes are available on /docs or /redoc paths with Swagger or ReDoc.

Project structure

Files related to application are in the app or tests directories. Application parts are:

app
β”œβ”€β”€ api              - web related stuff.
β”‚Β Β  β”œβ”€β”€ dependencies - dependencies for routes definition.
β”‚Β Β  β”œβ”€β”€ errors       - definition of error handlers.
β”‚Β Β  └── routes       - web routes.
β”œβ”€β”€ core             - application configuration, startup events, logging.
β”œβ”€β”€ db               - db related stuff.
β”‚Β Β  β”œβ”€β”€ migrations   - manually written alembic migrations.
β”‚Β Β  └── repositories - all crud stuff.
β”œβ”€β”€ models           - pydantic models for this application.
β”‚Β Β  β”œβ”€β”€ domain       - main models that are used almost everywhere.
β”‚Β Β  └── schemas      - schemas for using in web routes.
β”œβ”€β”€ resources        - strings that are used in web responses.
β”œβ”€β”€ services         - logic that is not just crud related.
β”œβ”€β”€ credentials      - list of common strings for Brute Force.
β”œβ”€β”€ postman          - api json file for postman.
β”œβ”€β”€ redis            - redis docker file and conf file.
β”œβ”€β”€ scripts         
β”œβ”€β”€ tests         
└── main.py          - FastAPI application creation and configuration.

Presented At

Blackhat Europe 2022 Arsenal

AppSec village at DefCon30

Write-ups & Referrences

c{api}tal CTF event sum-up blog

A great write-up by Maor Tal:
Part 1
Part 2

Stickers from DefCon30:

Development and Bugs

Found an issue, or have a great idea? Let us know:

Contributions are appreciated and can be done via GitHub.

See CONTRIBUTING.md for more information about how to submit them.

Thanks

This project was created at Checkmarx by Ravid Mazon with the help of these great contributors: Liad Levy, Yaniv Nizry, Guy Lyuboshits

The application was built base on real-world-app , we used these awesome repos:
Backend - FastAPI (Python)
Frontend - React (JS)
Thanks again for contributing to the open-source community!

More Repositories

1

kics

Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
Open Policy Agent
2,004
star
2

JS-SCP

JavaScript Secure Coding Practices guide
173
star
3

2ms

Too many secrets (2MS) helps people protect their secrets on any file or on systems like CMS, chats and git
Go
76
star
4

chainjacking

Find which of your direct GitHub dependencies is susceptible to RepoJacking attacks
Python
55
star
5

kics-github-action

GitHub actions of KICS scan - Keeping Infrastructure as Code Secure
JavaScript
42
star
6

chainalert-github-action

scans popular packages and alerts in cases there is suspicion of an account takeover
JavaScript
40
star
7

ast-cli

A CLI project wrapping application security testing (AST) APIs
Go
37
star
8

dustilock

DustiLock is a tool to find which of your dependencies is susceptible to a Dependency Confusion attack.
Go
34
star
9

Goatlin

(aka Kotlin Goat) - an intentionally vulnerable Kotlin application
Kotlin
32
star
10

cuteboi

This open-source project tracks CuteBoi's activity over time as there are evidence the actor is still active. All information provided here is intended for research purposes.
Vue
28
star
11

Kotlin-SCP

Kotlin Secure Coding Practices is a guide written for anyone using Kotlin for mobile development.
Ruby
25
star
12

ast-github-action

Checkmarx application security testing (AST) GitHub action
Shell
15
star
13

WebViewGoat

A deliberately vulnerable Android application to demonstrate exfiltration scenarios
JavaScript
11
star
14

red-lili

This open-source project tracks RED-LILI's activity over time as there are evidence the actor is still active. All information provided here is intended for research purposes.
Vue
11
star
15

ast-vscode-extension

The Checkmarx One Visual Studio Code plugin (extension) enables you to import results from a Checkmarx One scan directly into your VS Code console. You can view the vulnerabilities that were identified in your source code and navigate directly to the vulnerable code in the editor.
Hack
11
star
16

kics-cdk-validator-plugin

A KICS plugin for AWS CDK
TypeScript
6
star
17

driffty

Cloud Infrastructure Security Drift Detection - for KICS
Open Policy Agent
6
star
18

ci-cd-integrations

If you are using a CI/CD platform that doesn’t yet have a dedicated Checkmarx plugin, please check this repository.
Groovy
6
star
19

swag

4
star
20

ast-azure-plugin

The CxAST Azure DevOps plugin enables you to trigger SAST, SCA, and KICS scans directly from an Azure DevOps pipeline.
TypeScript
4
star
21

sast-to-ast-export

CLI tool to export data from CxSAST and import into Checkmarx Application Security Testing Platform
Go
3
star
22

ast-teamcity-plugin

The CxAST TeamCity plugin enables you to trigger SAST, SCA, and KICS scans directly from a TeamCity project.
Java
3
star
23

ast-eclipse-plugin

The CxAST Eclipse plugin enables you to import results from a CxAST scan directly into your IDE. You can view the vulnerabilities that were identified in your source code and navigate directly to the vulnerable code in the editor.
Java
3
star
24

dast-github-action

Shell
2
star
25

API-Security-Top-10

2
star
26

ast-visual-studio-extension

The CxAST Visual Studio plugin enables you to import results from a CxAST scan directly into your IDE
C#
2
star
27

JobDeCrypter

A decryption tool for the JobCrypter ransomware
C#
2
star
28

homebrew-ast-cli

Ruby
2
star
29

NFCdrip

Java
2
star
30

solidity-ddenv

Containerized Solidity Decentralized App Development Environment
JavaScript
2
star
31

kics-codefresh-step

2
star
32

ast-jetbrains-plugin

The CxAST JetBrains plugin enables you to import results from a CxAST scan directly into your IDE.
Java
2
star
33

nexus-security-plugin

Java
2
star
34

SmartBulbExfil

Java
1
star
35

kics-orb

1
star
36

vorpal-reviewdog-github-action

Run Vorpal with reviewdog 🐢
Shell
1
star