DEV.co
Open-Source Security · roottusk

vapi

vAPI is a self-hosted vulnerable API training application that deliberately implements OWASP API Top 10 security flaws as educational exercises. It's designed for security professionals and developers to learn API exploitation and remediation techniques in a safe, controlled environment.

Source: GitHub — github.com/roottusk/vapi
1.3k
GitHub stars
337
Forks
HTML
Primary language
GPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryroottusk/vapi
Ownerroottusk
Primary languageHTML
LicenseGPL-3.0 — OSI-approved
Stars1.3k
Forks337
Open issues15
Latest release1.3 (2022-11-27)
Last updated2025-01-10
Sourcehttps://github.com/roottusk/vapi

What vapi is

A Laravel 8 + PHP 7.3+ application backed by MySQL, exposing intentional API vulnerabilities mapped to OWASP Top 10 scenarios. Deployable via Docker Compose or manual setup; supports Kubernetes via Helm charts and includes Postman collection for testing.

Quickstart

Get the vapi source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/roottusk/vapi.gitcd vapi# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Security Training & Hands-On Labs

Red team, blue team, and AppSec professionals use vAPI to practice identifying and exploiting common API vulnerabilities in a controlled lab environment without legal or ethical risk.

API Security Curriculum Development

Educational institutions and corporate training programs embed vAPI exercises into API security courses to teach OWASP Top 10 patterns through practical, guided exploitation walkthroughs.

DevSecOps Integration & Testing

Teams use vAPI in CI/CD pipelines to validate security scanning tools (SAST, DAST, API scanners) and measure their effectiveness against known API vulnerability patterns.

Implementation considerations

  • Isolate vAPI on an internal network or air-gapped lab; never expose to untrusted networks. Requires firewall rules and network segmentation.
  • MySQL database must be pre-configured with vapi.sql import; ensure DB credentials are securely managed (use .env, secrets management, not hardcoded).
  • Docker Compose setup is simplest path; manual install requires PHP, MySQL, and Postman CLI/desktop setup. Kubernetes deployment via Helm requires secret objects and namespace management.
  • Postman collection and environment files are provided; import both to enable guided requests, token generation, and test assertions out of the box.
  • Latest release (1.3) is from Nov 2022; verify compatibility with your PHP/MySQL/Laravel versions and plan for potential security patch lag.

When to avoid it — and what to weigh

  • Production or External-Facing Deployment — vAPI is intentionally vulnerable and must never be exposed to the public internet or used as a real backend service; it is strictly for isolated lab or internal training environments.
  • Need for Active Commercial Support — No commercial support model, SLA, or professional maintenance is documented. Last release is from Nov 2022; active development exists but no guarantee of timely security patches or feature updates.
  • Requirement for Modern PHP/Laravel Versions — Project targets PHP 7.3+ and Laravel 8, which are approaching end-of-life. If your infrastructure mandates PHP 8+ or Laravel 10+, significant refactoring or maintenance work may be required.
  • Minimal Database or Complex Multi-Tenant Scenarios — vAPI is a single-instance, fixed-exercise training app. It does not support complex data models, multi-tenancy, or integration with enterprise identity systems without substantial customization.

License & commercial use

Licensed under GPL-3.0 (GNU General Public License v3.0). This is a copyleft open-source license requiring derivative works and modified distributions to remain open-source under the same license.

GPL-3.0 is a copyleft license. Internal use for training, testing, or labs is permitted without disclosure. However, commercial distribution, SaaS offerings, or vendored products incorporating vAPI must release source code under GPL-3.0. Consult legal counsel if planning monetized or proprietary derivatives. No commercial license or exemption is documented.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceModerate
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

vAPI is intentionally vulnerable—it is NOT secure and must never be used in production or exposed externally. It includes common flaws: injection, broken authentication, insecure direct object reference, CORS misconfigurations, etc. Deployment requires air-gapped or firewalled network. Database credentials must be managed securely (avoid plaintext in .env on shared systems). No security audits, penetration tests, or vulnerability disclosure policy documented. Use as educational tool only.

Alternatives to consider

OWASP Juice Shop

Similarly intentional, web app-focused vulnerable application covering OWASP Top 10. More actively maintained, broader language/framework coverage, and more extensive documentation.

HackTheBox / TryHackMe

Hosted platforms providing curated vulnerable labs and CTF challenges with guided walkthroughs. No deployment/maintenance burden; subscription model; broader scope beyond APIs.

Postman API Security Training

Official Postman training modules and collections on API security without need for self-hosted vulnerable app; tightly integrated with Postman workspace and learning paths.

Software development agency

Build on vapi with DEV.co software developers

Deploy vAPI in your isolated lab environment using Docker Compose, import the Postman collection, and start hands-on OWASP API Top 10 exercises. Consult our team if you need custom integration, Kubernetes deployment guidance, or security review.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

vapi FAQ

Can I run vAPI in a containerized CI/CD pipeline?
Yes, Docker Compose setup is suitable for automated test environments. Docker images can be built and spun up per test run. Ensure isolation and cleanup after each run to prevent cross-contamination.
What is the minimum infrastructure required?
Docker Compose: single host with Docker and Docker Compose. Manual: PHP 7.3+, MySQL 5.7+, 512 MB RAM, and CLI access. Kubernetes: K8s cluster with 2+ nodes, Helm 3, and persistent storage for MySQL.
Does vAPI require any external API keys or third-party services?
No. vAPI is self-contained; all dependencies are local (MySQL, PHP, Docker). Postman is optional but recommended for guided request testing and token management.
Is vAPI suitable for teaching my team API security?
Yes, if your team can access an isolated lab environment. Pair with external walkthroughs/videos (linked in README) since documentation lacks detailed remediation guidance. Consider supplementing with OWASP API Top 10 reference docs.

Software development & web development with DEV.co

DEV.co helps companies turn open-source tools like vapi into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.

Ready to Train Your Team on API Security?

Deploy vAPI in your isolated lab environment using Docker Compose, import the Postman collection, and start hands-on OWASP API Top 10 exercises. Consult our team if you need custom integration, Kubernetes deployment guidance, or security review.