New Vulnerable API

79 views
Skip to first unread message

Sheela Sarva

unread,
Nov 14, 2019, 6:41:38 PM11/14/19
to API Security Project
Hello Team,

What is the process if we would like to contribute to the project by sharing another vulnerable API? 

Cheers,
Sheela

Keith Casey

unread,
Nov 15, 2019, 12:30:39 AM11/15/19
to API Security Project
Sheela,

Please communicate with the API vendor via their security policy before publicly broadcasting details. Many companies have bounty programs where you can make money by properly following the process.

Once that is complete, you can usually disclose details and show what the problem and consequences were. I'd love to learn more once you're there.

keith

Sheela Sarva

unread,
Nov 15, 2019, 7:46:00 PM11/15/19
to API Security Project
Hello Keith,

Thanks for your response. 

In addition, can you please let me know if it is possible to share under OWASP project vulnerable swagger API we have designed and implemented? We understand that it has to follow your guidelines which we will make sure. I was thinking it might be great for the community to have access to more vulnerable API. 

Regards,
Sheela


On Thursday, November 14, 2019 at 3:41:38 PM UTC-8, Sheela Sarva wrote:

Paulo Silva

unread,
Nov 16, 2019, 6:38:47 AM11/16/19
to Sheela Sarva, API Security Project
Hi Sheela,

On Sat, Nov 16, 2019 at 12:46 AM Sheela Sarva <sheel...@gmail.com> wrote:
>
> Hello Keith,
>
> Thanks for your response.
>
> In addition, can you please let me know if it is possible to share under OWASP project vulnerable swagger API we have designed and implemented?

Do you have a vulnerable API which you would like to donate to OWASP,
maybe as part of the API Security Project?
Can you please clarify?

We have on our roadmap an intentionally vulnerable API project: crAPI
- Completely Ridiculous API.
If you have something that we can build on top of, it can be interesting.

Please provide additional feedback so that we can discuss it further.

Cheers,
> We understand that it has to follow your guidelines which we will make sure. I was thinking it might be great for the community to have access to more vulnerable API.
>
> Regards,
> Sheela
>
> On Thursday, November 14, 2019 at 3:41:38 PM UTC-8, Sheela Sarva wrote:
>>
>> Hello Team,
>>
>> What is the process if we would like to contribute to the project by sharing another vulnerable API?
>>
>> Cheers,
>> Sheela
>>
> --
> You received this message because you are subscribed to the Google Groups "API Security Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/9382a6ba-1d56-4539-99d5-0580a1a7792c%40owasp.org.



--
Paulo Silva

OWASP API Security Project - Project Main Maintainer
OWASP Go Secure Coding Practices Guide - Project Co-Leader

Sheela Sarva

unread,
Nov 17, 2019, 2:56:37 AM11/17/19
to API Security Project
Hello Paulo,

You are correct. I have developed intentionally vulnerable API that I would like to add to 'Completely Ridiculous API' project. 

Looking forward to discussing further. 

Regards,
sheela

On Thursday, November 14, 2019 at 3:41:38 PM UTC-8, Sheela Sarva wrote:

Raj kumar

unread,
Dec 15, 2019, 8:39:40 AM12/15/19
to API Security Project
Hi Paulo, I too have developed a deliberate vulnerable API in ASP.NET Core 3. It has most of the issues that fall under top 10 but not all. You can check out more info on the API on my blog https://www.infosecraj.com/blog/vulnerable-api.html. If you feel it's good, I'd be happy to donate it to OWASP API project but more than that I'd  like to contribute to this project in other possible ways too.
Reply all
Reply to author
Forward
0 new messages