VAmPI
VAmPI is a deliberately vulnerable REST API built with Flask that includes OWASP Top 10 API vulnerabilities. It is designed for security testing, penetration testing, and learning purposes, with a toggle to switch between vulnerable and secure modes.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | erev0s/VAmPI |
| Owner | erev0s |
| Primary language | Python |
| License | MIT — OSI-approved |
| Stars | 1.3k |
| Forks | 572 |
| Open issues | 4 |
| Latest release | Unknown |
| Last updated | 2026-04-07 |
| Source | https://github.com/erev0s/VAmPI |
What VAmPI is
A Python Flask-based REST API with OpenAPI 3 specification that intentionally implements nine documented vulnerabilities (SQLi, broken authorization, mass assignment, JWT bypass, etc.). Features token-based auth, Swagger UI, database initialization, and environment-variable configuration for vulnerability toggles.
Get the VAmPI source
Clone the repository and explore it locally.
git clone https://github.com/erev0s/VAmPI.gitcd VAmPI# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Initialize database by hitting `/createdb` endpoint before first use; mandatory for populated dummy data and functional testing.
- Configure vulnerability toggle via `vuln` environment variable (1=vulnerable, 0=secure) and token TTL via `tokentimetolive` before deployment.
- Run in Docker or Python venv to isolate dependencies; MacOS users note port 5001 conflict with AirPlay on newer versions.
- Secure network isolation is mandatory; restrict access to localhost or private lab networks only; never expose to internet.
- Review `app.py` source code to understand exact vulnerability implementations before using for tool validation or training.
When to avoid it — and what to weigh
- Production or Internet-Facing Deployment — VAmPI contains intentional security flaws and must never be exposed to public networks or used in any production capacity; isolation to local/lab networks only.
- Dependency on Latest Security Patches — No official release versioning since creation (2020); last push is recent, but no guaranteed SLA for dependency updates or critical CVE fixes if underlying Flask/libraries are compromised.
- Compliance or Audit Requirement — Using a deliberately vulnerable application in any compliance context (PCI, HIPAA, SOC 2) is inappropriate and likely violates policy; intended for isolated lab use only.
- Multi-tenant or Shared Environment — Single-instance architecture with in-memory or simple file-based state; no isolation, multi-tenancy, or RBAC suitable for shared environments.
License & commercial use
VAmPI is licensed under the MIT License, a permissive OSI-approved license permitting commercial use, modification, and distribution with minimal attribution requirements.
MIT License allows commercial use for internal security testing, training, and tool evaluation. However, redistribution of modified VAmPI requires MIT license inclusion. Verify your intended use does not violate the 'intentional vulnerability' nature—commercial deployment of the vulnerable instance itself is inappropriate and creates legal/liability risk.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
VAmPI is intentionally vulnerable by design. Deployment security depends entirely on network isolation: must run only on localhost, private lab networks, or isolated sandbox VMs. No built-in rate limiting, authentication bypass protections, or input validation when in vulnerable mode. Review source code to understand which vulnerabilities are active in your configuration. Use the secure mode (vuln=0) for negative testing and false-positive validation in tool evaluations.
Alternatives to consider
OWASP WebGoat
Mature, officially maintained, web-app-focused vulnerable application with extensive lessons and guided exploitation flows; better for structured security training than VAmPI's API-only scope.
Juice Shop (OWASP)
Full-stack vulnerable application with web and API components, modern tech stack, active maintenance, and community; broader use cases but higher complexity than VAmPI.
crAPI (Crash API, OWASP)
Dedicated vulnerable REST API project with modern architecture, multi-user isolation, and active maintenance; more feature-complete than VAmPI for API-specific testing.
Build on VAmPI with DEV.co software developers
Deploy VAmPI in your lab environment today to evaluate SAST/DAST tools, train your team on API vulnerabilities, or practice penetration testing in a safe, controlled sandbox.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
VAmPI FAQ
Can I use VAmPI in production?
How do I switch between vulnerable and secure mode?
What vulnerabilities does VAmPI include?
Do I need to set up a database?
Custom software development services
Adopting VAmPI is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.
Ready to test your API security tools?
Deploy VAmPI in your lab environment today to evaluate SAST/DAST tools, train your team on API vulnerabilities, or practice penetration testing in a safe, controlled sandbox.