VAmPI (Vulnerable REST API)

What is this lab?

VAmPI is a deliberately vulnerable Flask REST API. It ships with Swagger UI and an OpenAPI spec so you can explore endpoints quickly and map tests to OWASP API Top 10 style risks.

What you will learn

An API testing workflow using Swagger UI and Postman
Authorization tests at object and function level
Risky behaviors such as mass assignment and excessive data exposure
Writing findings with clear evidence and remediation

Prerequisites

Tools

Web browser
Postman or similar REST client
Burp or ZAP, optional

Knowledge

REST concepts and JSON
Basic authentication flows

Launch the lab

Open VAmPI in CSN Labs →

Getting started

Start the lab and open the URL shown.
Open Swagger UI by appending /ui to the lab base URL (for example .../vampi/ui if that matches your deployment).
If the database is empty, call /createdb once to initialize data.
Create two users (User A and User B) to test authorization boundaries.

How to use this lab

Use Swagger UI to learn parameters and expected responses.
Move repeatable checks into Postman with environments for each user.
Use a proxy when you need fine-grained inspection of headers and tokens.
Focus on who can do what across endpoints, not only input fuzzing.

Challenge buckets

BOLA — access to other users’ objects (for example “books”)
Mass assignment — fields that should be server-controlled
Excessive data exposure — responses that leak too much
Rate limiting and enumeration — abuse resistance and predictable identifiers

Scenarios

Scenario walkthroughs for VAmPI will be added here over time.

Safety and ethics

Use these techniques only in authorized lab environments.

References

VAmPI on GitHub

What is this lab?​

What you will learn​

Prerequisites​

Tools​

Knowledge​

Launch the lab​

Getting started​

How to use this lab​

Challenge buckets​

Scenarios​

Safety and ethics​

References​