DEV.co
Open-Source Security · erev0s

VAmPI

VAmPI is a deliberately vulnerable REST API built with Flask that includes OWASP Top 10 API vulnerabilities. It is designed for security testing, penetration testing, and learning purposes, with a toggle to switch between vulnerable and secure modes.

Source: GitHub — github.com/erev0s/VAmPI
1.3k
GitHub stars
572
Forks
Python
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryerev0s/VAmPI
Ownererev0s
Primary languagePython
LicenseMIT — OSI-approved
Stars1.3k
Forks572
Open issues4
Latest releaseUnknown
Last updated2026-04-07
Sourcehttps://github.com/erev0s/VAmPI

What VAmPI is

A Python Flask-based REST API with OpenAPI 3 specification that intentionally implements nine documented vulnerabilities (SQLi, broken authorization, mass assignment, JWT bypass, etc.). Features token-based auth, Swagger UI, database initialization, and environment-variable configuration for vulnerability toggles.

Quickstart

Get the VAmPI source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/erev0s/VAmPI.gitcd VAmPI# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Security Tool Evaluation & Benchmarking

Use VAmPI to validate and compare the effectiveness of SAST, DAST, and API security scanning tools against known vulnerabilities in a controlled environment with false-positive/negative testing via secure mode.

Security Training & Workshops

Provide engineering teams and students a hands-on sandbox to learn OWASP Top 10 API vulnerabilities, exploitation techniques, and remediation patterns without risk to production systems.

Penetration Testing Practice

Deploy as a target for authorized penetration testers and red-team exercises to practice API exploitation, reporting, and validation in a pre-configured vulnerable state.

Implementation considerations

  • Initialize database by hitting `/createdb` endpoint before first use; mandatory for populated dummy data and functional testing.
  • Configure vulnerability toggle via `vuln` environment variable (1=vulnerable, 0=secure) and token TTL via `tokentimetolive` before deployment.
  • Run in Docker or Python venv to isolate dependencies; MacOS users note port 5001 conflict with AirPlay on newer versions.
  • Secure network isolation is mandatory; restrict access to localhost or private lab networks only; never expose to internet.
  • Review `app.py` source code to understand exact vulnerability implementations before using for tool validation or training.

When to avoid it — and what to weigh

  • Production or Internet-Facing Deployment — VAmPI contains intentional security flaws and must never be exposed to public networks or used in any production capacity; isolation to local/lab networks only.
  • Dependency on Latest Security Patches — No official release versioning since creation (2020); last push is recent, but no guaranteed SLA for dependency updates or critical CVE fixes if underlying Flask/libraries are compromised.
  • Compliance or Audit Requirement — Using a deliberately vulnerable application in any compliance context (PCI, HIPAA, SOC 2) is inappropriate and likely violates policy; intended for isolated lab use only.
  • Multi-tenant or Shared Environment — Single-instance architecture with in-memory or simple file-based state; no isolation, multi-tenancy, or RBAC suitable for shared environments.

License & commercial use

VAmPI is licensed under the MIT License, a permissive OSI-approved license permitting commercial use, modification, and distribution with minimal attribution requirements.

MIT License allows commercial use for internal security testing, training, and tool evaluation. However, redistribution of modified VAmPI requires MIT license inclusion. Verify your intended use does not violate the 'intentional vulnerability' nature—commercial deployment of the vulnerable instance itself is inappropriate and creates legal/liability risk.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

VAmPI is intentionally vulnerable by design. Deployment security depends entirely on network isolation: must run only on localhost, private lab networks, or isolated sandbox VMs. No built-in rate limiting, authentication bypass protections, or input validation when in vulnerable mode. Review source code to understand which vulnerabilities are active in your configuration. Use the secure mode (vuln=0) for negative testing and false-positive validation in tool evaluations.

Alternatives to consider

OWASP WebGoat

Mature, officially maintained, web-app-focused vulnerable application with extensive lessons and guided exploitation flows; better for structured security training than VAmPI's API-only scope.

Juice Shop (OWASP)

Full-stack vulnerable application with web and API components, modern tech stack, active maintenance, and community; broader use cases but higher complexity than VAmPI.

crAPI (Crash API, OWASP)

Dedicated vulnerable REST API project with modern architecture, multi-user isolation, and active maintenance; more feature-complete than VAmPI for API-specific testing.

Software development agency

Build on VAmPI with DEV.co software developers

Deploy VAmPI in your lab environment today to evaluate SAST/DAST tools, train your team on API vulnerabilities, or practice penetration testing in a safe, controlled sandbox.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

VAmPI FAQ

Can I use VAmPI in production?
No. VAmPI contains intentional security vulnerabilities and is designed only for isolated lab, training, and testing environments. Exposing it to a production network or the internet creates serious security and compliance risks.
How do I switch between vulnerable and secure mode?
Set the `vulnerable` environment variable to 1 (vulnerable) or 0 (secure) before running. For Docker: `docker run -e vulnerable=0 ...`. For Python: edit the `vuln` variable in `app.py`. The docker-compose file includes both modes on ports 5001 and 5002.
What vulnerabilities does VAmPI include?
Nine vulnerabilities: SQL Injection, Unauthorized Password Change, Broken Object Level Authorization, Mass Assignment, Excessive Data Exposure (_debug endpoint), User/Password Enumeration, RegexDOS, Lack of Rate Limiting, and JWT weak-key bypass. See the README vulnerability list for details.
Do I need to set up a database?
Yes. After starting VAmPI, call the `/createdb` endpoint (GET http://127.0.0.1:5000/createdb) to initialize and populate the SQLite database with dummy data before using other endpoints.

Custom software development services

Adopting VAmPI is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Ready to test your API security tools?

Deploy VAmPI in your lab environment today to evaluate SAST/DAST tools, train your team on API vulnerabilities, or practice penetration testing in a safe, controlled sandbox.