Smart-API-security-tester/test_api_server.py at main · ashley-aa511/Smart-API-security-tester · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
"""
Example Test API Server
A simple Flask API with intentional vulnerabilities for testing purposes
DO NOT USE IN PRODUCTION - FOR TESTING ONLY
"""

from flask import Flask, request, jsonify
import secrets

app = Flask(__name__)

# Fake database
users = {
    "1": {"id": "1", "name": "Alice", "email": "alice@example.com", "role": "user", "balance": 100},
    "2": {"id": "2", "name": "Bob", "email": "bob@example.com", "role": "user", "balance": 200},
    "admin": {"id": "admin", "name": "Admin", "email": "admin@example.com", "role": "admin", "balance": 999999}
}

# Rate limiting counter (simple demo)
request_counts = {}


@app.route('/')
def home():
    return jsonify({
        "message": "Test API Server",
        "version": "1.0.0",
        "endpoints": [
            "/api/user/<id>",
            "/api/users",
            "/api/admin",
            "/api/login"
        ]
    })


# VULNERABILITY: Broken Object Level Authorization
@app.route('/api/user/<user_id>', methods=['GET'])
def get_user(user_id):
    """BOLA vulnerability - no authorization check"""
    if user_id in users:
        return jsonify(users[user_id])
    return jsonify({"error": "User not found"}), 404


# VULNERABILITY: Missing authentication
@app.route('/api/admin', methods=['GET'])
def admin_panel():
    """Missing authentication on admin endpoint"""
    return jsonify({
        "message": "Admin panel",
        "users": users,
        "sensitive_data": "This should be protected!"
    })


# VULNERABILITY: Weak authentication
@app.route('/api/login', methods=['POST'])
def login():
    """Accepts weak passwords"""
    data = request.get_json() or {}
    username = data.get('username')
    password = data.get('password')

    # Accepts weak passwords
    if username == "admin" and password in ["password", "123456", "admin"]:
        return jsonify({
            "token": secrets.token_hex(16),
            "message": "Login successful"
        })

    return jsonify({"error": "Invalid credentials"}), 401


# VULNERABILITY: Mass assignment
@app.route('/api/users', methods=['POST'])
def create_user():
    """Mass assignment vulnerability - accepts any fields"""
    data = request.get_json() or {}

    # Accepts isAdmin, role, balance without validation
    new_user = {
        "id": str(len(users) + 1),
        "name": data.get('name', 'Unknown'),
        "email": data.get('email', 'unknown@example.com'),
        "role": data.get('role', 'user'),  # Should be restricted!
        "isAdmin": data.get('isAdmin', False),  # Should be restricted!
        "balance": data.get('balance', 0)  # Should be restricted!
    }

    users[new_user['id']] = new_user
    return jsonify(new_user), 201


# VULNERABILITY: No rate limiting
@app.route('/api/unlimited', methods=['GET'])
def unlimited_endpoint():
    """No rate limiting - vulnerable to abuse"""
    return jsonify({"message": "Request processed", "count": len(request_counts)})


# VULNERABILITY: SQL Injection (simulated)
@app.route('/api/search', methods=['GET'])
def search():
    """Simulated SQL injection vulnerability"""
    query = request.args.get('q', '')

    # Simulated SQL error
    if "'" in query or "--" in query or "OR" in query.upper():
        return jsonify({
            "error": "SQL syntax error near '" + query + "'",
            "message": "sqlite3.OperationalError: unrecognized token"
        }), 500

    return jsonify({"results": [], "query": query})


# VULNERABILITY: Missing security headers
@app.after_request
def add_headers(response):
    """Intentionally missing security headers"""
    # NOT setting security headers for demo purposes
    return response


# API Documentation endpoint
@app.route('/api-docs', methods=['GET'])
def api_docs():
    """Publicly accessible API documentation"""
    return jsonify({
        "swagger": "2.0",
        "info": {
            "title": "Test API",
            "version": "1.0.0"
        },
        "paths": {
            "/api/user/{id}": {
                "get": {"summary": "Get user by ID"}
            },
            "/api/admin": {
                "get": {"summary": "Admin panel (should be protected!)"}
            }
        }
    })


if __name__ == '__main__':
    print("""
╔══════════════════════════════════════════════════════════╗
║  TEST API SERVER - FOR TESTING PURPOSES ONLY             ║
║  Contains intentional vulnerabilities                    ║
║  DO NOT USE IN PRODUCTION                                ║
╚══════════════════════════════════════════════════════════╝

Starting server at http://localhost:5000

Test endpoints:
- http://localhost:5000/api/user/1 (BOLA)
- http://localhost:5000/api/admin (No auth)
- http://localhost:5000/api/login (Weak password)
- http://localhost:5000/api/users (Mass assignment)
- http://localhost:5000/api/search?q=test (SQL injection)
- http://localhost:5000/api-docs (Public docs)

Use this server with the security tester:
python3 main.py
Target: http://localhost:5000
    """)
    app.run(debug=True, port=5000)