### Install VulnAPI from ZIP on Linux Source: https://github.com/cerberauth/vulnapi/blob/main/docs/installation.mdx Install VulnAPI on Linux by extracting the ZIP archive of the latest release and running the binary. Verify the installation by checking the version. ```bash vulnapi --version ``` -------------------------------- ### Install VulnAPI via APT on Linux Source: https://github.com/cerberauth/vulnapi/blob/main/docs/installation.mdx Install VulnAPI on Linux using APT by downloading the latest release .deb package. Verify the installation by checking the version. ```bash sudo dpkg -i vulnapi.deb ``` ```bash vulnapi --version ``` -------------------------------- ### Install VulnAPI via Snap on Linux Source: https://github.com/cerberauth/vulnapi/blob/main/docs/installation.mdx Use this command to install VulnAPI on Linux using the Snap package manager. Verify the installation by checking the version. ```bash sudo snap install vulnapi ``` ```bash vulnapi --version ``` -------------------------------- ### Install VulnAPI via Homebrew on MacOS Source: https://github.com/cerberauth/vulnapi/blob/main/docs/installation.mdx Install VulnAPI on MacOS using Homebrew by tapping the repository and installing the formula. Verify the installation by checking the version. ```bash brew tap cerberauth/vulnapi https://github.com/cerberauth/vulnapi brew install $(brew --repository cerberauth/vulnapi)/vulnapi.rb ``` ```bash vulnapi --version ``` -------------------------------- ### Install VulnAPI via RPM on Linux Source: https://github.com/cerberauth/vulnapi/blob/main/docs/installation.mdx Install VulnAPI on Linux using RPM by downloading the latest release .rpm package. Verify the installation by checking the version. ```bash sudo rpm -i vulnapi.rpm ``` ```bash vulnapi --version ``` -------------------------------- ### Normal Authenticated Request Example Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/authentication-bypass.mdx Demonstrates a typical successful authenticated GET request to an API endpoint. ```http GET /api/users/profile HTTP/1.1 Authorization: Bearer eyJhbGciOiJSUzI1NiI... HTTP/1.1 200 OK ``` -------------------------------- ### Start VAmPI Server Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vampi.mdx Run the VAmPI Docker container to start the vulnerable REST API. Ensure port 5000 is accessible. ```bash docker run -e vulnerable=1 -p 5000:5000 erev0s/vampi ``` -------------------------------- ### Run All JWT Scans with Wildcard Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/scan-ids.mdx Employ a wildcard (*) with the --scans flag to execute all scans within a category. This example runs all scans starting with 'jwt.'. ```bash # Run all JWT checks using a wildcard vulnapi scan curl ... --scans "jwt.*" ``` -------------------------------- ### Discover well-known paths and fingerprints Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/cli/discover-api.mdx Use this command to probe a base URL for common API paths and detect server technologies. No special setup is required beyond having the VulnAPI CLI installed. ```sh vulnapi discover api https://api.example.com ``` -------------------------------- ### Scan API using OpenAPI Contracts Example Source: https://github.com/cerberauth/vulnapi/blob/main/README.md An example of scanning an API using its OpenAPI contract located at a specific URL. ```bash vulnapi scan openapi https://vulnapi.cerberauth.com/vulnerable/.well-known/openapi.json ``` -------------------------------- ### Install VulnAPI via Chocolatey on Windows Source: https://github.com/cerberauth/vulnapi/blob/main/docs/installation.mdx Install VulnAPI on Windows using the Chocolatey package manager. You can also install by extracting a ZIP archive. ```powershell choco install vulnapi ``` ```powershell vulnapi --version ``` -------------------------------- ### Scan API using Curl-like CLI Example Source: https://github.com/cerberauth/vulnapi/blob/main/README.md An example of scanning a specific API endpoint using the Curl-like CLI method, including a POST request and an Authorization header. ```bash vulnapi scan curl -X POST https://vulnapi.cerberauth.com/vulnerable/api -H "Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwiaWF0IjoxNTE2MjM5MDIyfQ." ``` -------------------------------- ### GitHub Actions CI/CD Integration Example Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/output-formats.mdx Example of configuring a GitHub Actions workflow to fail if findings exceed a severity threshold. ```yaml # GitHub Actions example - name: VulnAPI Scan run: | vulnapi scan openapi ./openapi.json \ --severity-threshold 7.0 \ --report-format json \ --report-file vulnapi-report.json # The step will fail automatically if CVSS > 7.0 is found (stderr output) ``` -------------------------------- ### HTTP TRACE Request and Response Example Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/security-misconfiguration/http-trace-track.mdx Demonstrates an HTTP TRACE request and its corresponding response, showing how the entire request, including sensitive headers, is echoed back. ```http TRACE /api/users HTTP/1.1 Host: api.example.com Authorization: Bearer eyJhbGciOiJSUzI1NiI... X-Custom-Internal: secret HTTP/1.1 200 OK Content-Type: message/http TRACE /api/users HTTP/1.1 Host: api.example.com Authorization: Bearer eyJhbGciOiJSUzI1NiI... X-Custom-Internal: secret ``` -------------------------------- ### Start VulnAPI Server on Custom Port Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/cli/serve.mdx Starts the VulnAPI HTTP server on a specified custom port (e.g., 9090). This allows you to run the server on a port other than the default. ```sh vulnapi serve --port 9090 ``` -------------------------------- ### VAmPI OpenAPI Contract Example Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vampi.mdx An example snippet of an OpenAPI v3 contract for VAmPI. It includes security schemes like 'bearerAuth' and server details. ```json { "components": { "securitySchemes": { "bearerAuth": { "bearerFormat": "JWT", "scheme": "bearer", "type": "http" } } }, "info": { "description": "OpenAPI v3 specs for VAmPI", "title": "VAmPI", "version": "0.1" }, "openapi": "3.0.1", "paths": { "/users/v1/{username}/email": { "put": { "description": "Update a single users email", "operationId": "api_views.users.update_email", "security": [ { "bearerAuth": [] } ], ... "servers": [ { "url": "http://localhost:5000" } ] } ``` -------------------------------- ### Simple GET Request Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/cli/scan-curl.mdx Perform a basic GET request to an API endpoint. ```shell vulnapi scan curl https://api.example.com/endpoint ``` -------------------------------- ### Example GitHub Actions Workflow for VulnAPI Source: https://github.com/cerberauth/vulnapi/blob/main/docs/github-action.mdx This workflow demonstrates how to set up a GitHub Action to run VulnAPI scans on your API. It checks out the code, then uses the VulnAPI action with a provided curl command and authentication token. ```yaml name: VulnAPI on: [push] permissions: contents: read jobs: build: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v6 - name: VulnAPI uses: cerberauth/vulnapi-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: curl: 'curl http://localhost:8080 -H "Authorization: Bearer eyJhbGci..."' ``` -------------------------------- ### Exclude Discovery Scans Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/scan-ids.mdx Utilize the --exclude-scans flag with a wildcard to prevent specific scan categories from running. This example excludes all scans starting with 'discover.'. ```bash # Exclude all discovery checks vulnapi scan curl ... --exclude-scans "discover.*" ``` -------------------------------- ### OpenAPI Scan Command Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/security-misconfiguration/http-cookies.mdx Example of how to use the vulnapi CLI to scan an OpenAPI definition for HTTP cookie misconfigurations. ```bash echo "eyJhbGciOiJSUzUxMiI..." | vulnapi scan openapi [OpenAPI_Path_Or_URL] --scans misconfiguration.http_cookies ``` -------------------------------- ### GraphQL Scan Command Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/security-misconfiguration/http-cookies.mdx Example of how to use the vulnapi CLI to scan a GraphQL endpoint for HTTP cookie misconfigurations. ```bash vulnapi scan graphql -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans misconfiguration.http_cookies [url] ``` -------------------------------- ### Run VulnAPI using Docker Source: https://github.com/cerberauth/vulnapi/blob/main/docs/installation.mdx Use VulnAPI as a Docker container by running this command. This example shows how to scan a cURL command. ```bash docker run --rm cerberauth/vulnapi scan curl [API_URL] [CURL_OPTIONS] ``` -------------------------------- ### Upgrade VulnAPI via Snap Source: https://github.com/cerberauth/vulnapi/blob/main/docs/installation.mdx Command to refresh VulnAPI to the latest version when installed via Snap. ```bash sudo snap refresh vulnapi ``` -------------------------------- ### Example Valid JWT Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/jwt-kid-injection.mdx An example of a valid JWT signed with HS256 algorithm. ```text eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c ``` -------------------------------- ### Start VulnAPI Server on Default Port Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/cli/serve.mdx Starts the VulnAPI HTTP server on the default port (8080). Use this command to enable programmatic scan triggering via the REST API. ```sh vulnapi serve ``` -------------------------------- ### Example Vulnerable JWT (None Algorithm) Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/jwt-alg-none.mdx An example of a JWT that is improperly authorized when the implementation is vulnerable to the 'alg none' attack. It has the algorithm set to 'none'. ```bash eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwiaWF0IjoxNTE2MjM5MDIyfQ. ``` -------------------------------- ### Example Valid JWT (RS512) Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/jwt-alg-none.mdx A valid JSON Web Token signed with the RS512 algorithm. This serves as a baseline for comparison. ```bash eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiaWF0IjoxNTE2MjM5MDIyfQ.MnECRBSUQEi8GjiAyWHPhPhhpzCiMLldkq-N_VS-iwI08c4xEVUhT1Xrx9kNGuwusiQuLI3AOBTPwtbdaasQDCOpF0nxxQNKkufJYFds61ooFZfXCuRyXe1yGnXPRzTfgr5YVe9-T8_JDccx5JP70d9hoO4DU4GNYQMvrOQl4xu8DEyyDT2hsjyTbrodVhrV9znMfEBCsYPPLI-Q-HYLquGThPdJe2kBNA-CiLRV6Mwzji67cTd_4P_oUHKXsAxMqVpo-xC2xiVpO2P9X1__uXrRrfiNFUur4B71UMgGYJ2z_cQqwFfSXz9glBIf_-BJU10Rkmyo2ew862d7WsHx8g ``` -------------------------------- ### FastAPI Global Authentication Middleware Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/authentication-bypass.mdx Example using FastAPI and HTTPBearer to enforce authentication globally for all API endpoints. ```python # FastAPI example — require authentication globally from fastapi import Depends, HTTPException, Security from fastapi.security import HTTPBearer security = HTTPBearer() @app.get("/api/users/profile") async def get_profile(credentials = Security(security)): # credentials.credentials is the Bearer token user = verify_token(credentials.credentials) return user ``` -------------------------------- ### cURL Scan Command Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/security-misconfiguration/http-cookies.mdx Example of how to use the vulnapi CLI to scan a URL for HTTP cookie misconfigurations using cURL. ```bash vulnapi scan curl [url] -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans misconfiguration.http_cookies ``` -------------------------------- ### Upgrade VulnAPI via Homebrew Source: https://github.com/cerberauth/vulnapi/blob/main/docs/installation.mdx Command to upgrade VulnAPI to the latest version when installed via Homebrew. ```bash brew upgrade vulnapi ``` -------------------------------- ### SameSite=None Without Restrictions Example Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/security-misconfiguration/http-cookies.mdx Shows a vulnerable Set-Cookie header with SameSite=None without necessary restrictions. This setting allows cookies in cross-site contexts, potentially enabling CSRF if Secure is not also set. ```http Set-Cookie: session=abc123; SameSite=None ← vulnerable ``` ```http Set-Cookie: session=abc123; SameSite=Strict; Secure ← correct ``` -------------------------------- ### Upgrade VulnAPI via Chocolatey Source: https://github.com/cerberauth/vulnapi/blob/main/docs/installation.mdx Command to upgrade VulnAPI to the latest version when installed via Chocolatey. ```powershell choco upgrade vulnapi ``` -------------------------------- ### Secure Flag Missing Example Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/security-misconfiguration/http-cookies.mdx Illustrates a Set-Cookie header lacking the Secure flag. The Secure flag ensures the cookie is only sent over HTTPS connections. ```http Set-Cookie: session=abc123 ← vulnerable ``` ```http Set-Cookie: session=abc123; Secure ← correct ``` -------------------------------- ### JWT Signed with Blank Secret Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/jwt-blank-secret.mdx An example of a JWT signed with an empty secret. This token is vulnerable to tampering. ```bash eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MTYyNDI2MjIsImlhdCI6MTUxNjIzOTAyMiwibmFtZSI6IkpvaG4gRG9lIiwic3ViIjoiMmNiMzA3YmEtYmI0Ni00MTk0LTg1NGYtNDc3NDA0NmQ5YzliIn0.rpOjSoJBjzZifWAc-MBQ4UVS9tOY7gJV8cN0j6bN1oA ``` -------------------------------- ### Run Specific JWT Scan Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/scan-ids.mdx Use the --scans flag with a specific scan ID to run only that check. This example targets the 'jwt.alg_none' scan. ```bash # Run only JWT checks vulnapi scan curl https://api.example.com -H "Authorization: Bearer " --scans jwt.alg_none ``` -------------------------------- ### Nginx Configuration to Restrict HTTP Methods Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/security-misconfiguration/http-trace-track.mdx Configure Nginx to only allow specific HTTP methods (GET, POST, PUT, DELETE, PATCH, OPTIONS) and deny others like TRACE and TRACK. ```nginx location / { limit_except GET POST PUT DELETE PATCH OPTIONS { deny all; } } ``` -------------------------------- ### Vulnerable Unauthenticated Request Example Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/authentication-bypass.mdx Illustrates a vulnerable scenario where an unauthenticated request to a protected endpoint returns a 200 OK status instead of an error. ```http GET /api/users/profile HTTP/1.1 HTTP/1.1 200 OK ← vulnerable! ``` -------------------------------- ### Valid JWT Signed with HS256 Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/jwt-blank-secret.mdx An example of a correctly signed JWT using the HS256 algorithm. This token is cryptographically protected. ```bash eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MTYyNDI2MjIsImlhdCI6MTUxNjIzOTAyMiwibmFtZSI6IkpvaG4gRG9lIiwic3ViIjoiMmNiMzA3YmEtYmI0Ni00MTk0LTg1NGYtNDc3NDA0NmQ5YzliIn0.SCC35SSgMSMr0kV1i_TuPAhiSGtsC1cFGCfvaus5GyU ``` -------------------------------- ### Example of a JWT Signed with a Weak Secret ('secret') Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/jwt-weak-secret.mdx This JWT is signed with the common and weak secret 'secret'. Such tokens are vulnerable to manipulation by attackers who can easily guess or brute-force the secret. ```bash eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MTYyNDI2MjIsImlhdCI6MTUxNjIzOTAyMiwibmFtZSI6IkpvaG4gRG9lIiwic3ViIjoiMmNiMzA3YmEtYmI0Ni00MTk0LTg1NGYtNDc3NDA0NmQ5YzliIn0.gTgBr6lotpAxs4M46PgUXrjhIN5-gYG4HffKSEIB6Ys ``` -------------------------------- ### Example Google JWT (ID Token) Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/jwt-cross-service-relay-attack.mdx This JSON object represents a typical ID Token issued by Google, including claims like issuer, audience, subject, and email. ```json { "iss": "https://accounts.google.com", "azp": "1234987819200.apps.googleusercontent.com", "aud": "1234987819200.apps.googleusercontent.com", "sub": "10769150350006150715113082367", "at_hash": "HK6E_P6Dh8Y93mRNtsDB1Q", "hd": "example.com", "email": "jsmith@example.com", "email_verified": "true", "iat": 1353601026, "exp": 1353604926, "nonce": "0394852-3190485-2490358" } ``` -------------------------------- ### Scan for GraphQL Introspection Enabled Vulnerability Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/security-misconfiguration/graphql-introspection.mdx Use this command to scan a target URL specifically for the GraphQL introspection enabled vulnerability. Ensure the vulnapi tool is installed and configured. ```bash vulnapi scan graphql [url] --scans graphql.introspection_enabled ``` -------------------------------- ### HttpOnly Flag Missing Example Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/security-misconfiguration/http-cookies.mdx Demonstrates a vulnerable Set-Cookie header missing the HttpOnly flag. The HttpOnly flag prevents JavaScript from accessing the cookie. ```http Set-Cookie: session=abc123 ← vulnerable ``` ```http Set-Cookie: session=abc123; HttpOnly ← correct ``` -------------------------------- ### JWT with Null Signature Attack Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/jwt-null-signature.mdx An example of a JWT where the signature part has been intentionally removed or set to null, demonstrating the null signature vulnerability. ```bash eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MjkxNTU4MDksImlhdCI6MTcyOTE1MjIwOSwibmFtZSI6IkpvaG4gRG9lIiwic3ViIjoiMmNiMzA3YmEtYmI0Ni00MTk0LTg1NGYtNDc3NDA0NmQ5YzliIn0. ``` -------------------------------- ### View Complete CLI Help Source: https://github.com/cerberauth/vulnapi/blob/main/README.md Execute this command to display all available VulnAPI commands and flags. ```bash vulnapi -h ``` -------------------------------- ### Global CLI Usage Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/cli/index.mdx Shows the general structure for using the vulnapi CLI, including how to access help and version information. ```sh vulnapi [flags] vulnapi --help vulnapi version ``` -------------------------------- ### Discover APIs Across All Subdomains Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/cli/discover-domain.mdx Run the command to discover APIs across all common subdomains of a given domain. No specific flags are required for basic discovery. ```bash vulnapi discover domain example.com ``` -------------------------------- ### VulnAPI CLI Help Output Source: https://github.com/cerberauth/vulnapi/blob/main/README.md This is the detailed output of the `vulnapi -h` command, listing available commands and flags. ```bash vulnapi Usage: vulnapi [command] Available Commands: completion Generate the autocompletion script for the specified shell help Help about any command jwt Generate JWT tokens scan API Scan serve Start the server Flags: -h, --help help for vulnapi --sqa-opt-out Opt out of sending anonymous usage statistics and crash reports to help improve the tool Use "vulnapi [command] --help" for more information about a command. ``` -------------------------------- ### Discover API Information Source: https://github.com/cerberauth/vulnapi/blob/main/README.md Execute this command to discover useful information about a target API, including leaked files and well-known paths. The output provides details on API types, technologies, and services. ```bash vulnapi discover api [API_URL] ``` -------------------------------- ### Basic Usage of VulnAPI OpenAPI Scan Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/cli/scan-openapi.mdx Use this command to initiate a scan against an OpenAPI specification. Replace `` with the local file path or a remote URL of your OpenAPI spec. ```bash vulnapi scan openapi [flags] ``` -------------------------------- ### Go: Always Verify Allowed JWT Algorithms Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/jwt-not-verified.mdx This Go code snippet demonstrates how to properly parse a JWT by explicitly providing allowed algorithms using `jwt.WithValidMethods`. This helps prevent algorithm-confusion attacks. ```go // Go example — always pass allowed algorithms token, err := jwt.Parse(tokenString, keyFunc, jwt.WithValidMethods([]string{"RS256"}), ) ``` -------------------------------- ### Table Output: Technology Fingerprint Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/output-formats.mdx Shows detected framework, language, and server in a table format. ```text | TECHNOLOGIE/SERVICE | VALUE | |---------------------|---------------| | Framework | Flask:2.2.3 | | Language | Python:3.11.9 | | Server | Flask:2.2.3 | ``` -------------------------------- ### Testing HTTP TRACE/TRACK with OpenAPI Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/security-misconfiguration/http-trace-track.mdx Scan for misconfiguration.http_trace and misconfiguration.http_track vulnerabilities using an OpenAPI specification. ```bash echo "eyJhbGciOiJSUzUxMiI..." | vulnapi scan openapi [OpenAPI_Path_Or_URL] --scans misconfiguration.http_trace --scans misconfiguration.http_track ``` -------------------------------- ### Test API Security Headers with OpenAPI Source: https://github.com/cerberauth/vulnapi/blob/main/docs/best-practices/security-headers.mdx Use this VulnAPI command to scan an OpenAPI specification for misconfigured HTTP security headers. ```bash vulnapi scan openapi [OpenAPI_Path_Or_URL] --scans misconfiguration.http_headers ``` -------------------------------- ### Scan API using OpenAPI Contracts Source: https://github.com/cerberauth/vulnapi/blob/main/README.md Scan an API by providing its OpenAPI contract. The JWT token for authentication is piped into the command. Replace [PATH_OR_URL_TO_OPENAPI_FILE] with the location of the OpenAPI file. ```bash echo "[JWT_TOKEN]" | vulnapi scan openapi [PATH_OR_URL_TO_OPENAPI_FILE] ``` -------------------------------- ### Table Output: Well-Known Paths Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/output-formats.mdx Displays discovered API spec and GraphQL endpoints in a table format. ```text | WELL-KNOWN PATHS | URL | |------------------|------------------------------------| | OpenAPI | http://localhost:5000/openapi.json | | GraphQL | N/A | ``` -------------------------------- ### Perform Discovery Scan with VulnAPI Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vampi.mdx Initiate a discovery scan of the VAmPI API using VulnAPI. This helps identify OpenAPI contracts and service information. ```bash vulnapi scan discover http://localhost:5000 ``` -------------------------------- ### No Expiration Example Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/security-misconfiguration/http-cookies.mdx Presents a Set-Cookie header without an expiration date, making it a session cookie. Session cookies expire when the browser closes, which can lead to long-lived sessions if not managed properly. ```http Set-Cookie: session=abc123 ← no expiry ``` ```http Set-Cookie: session=abc123; Max-Age=3600 ← expires after 1 hour ``` -------------------------------- ### Pass an Authorization header Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/cli/discover-api.mdx When an API requires authentication, you can pass custom headers like 'Authorization' to the 'discover api' command. Ensure the token format is correct for the target API. ```sh vulnapi discover api https://api.example.com \ -H "Authorization: Bearer " ``` -------------------------------- ### Testing HTTP TRACE/TRACK with GraphQL Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/security-misconfiguration/http-trace-track.mdx Scan for misconfiguration.http_trace and misconfiguration.http_track vulnerabilities against a GraphQL endpoint. ```bash vulnapi scan graphql -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans misconfiguration.http_trace --scans misconfiguration.http_track [url] ``` -------------------------------- ### Scan API using Curl-like CLI Source: https://github.com/cerberauth/vulnapi/blob/main/README.md Perform a scan on an API using a command structure similar to curl. Replace [API_URL] with the target API's URL and [CURL_OPTIONS] with any necessary curl flags. ```bash vulnapi scan curl [API_URL] [CURL_OPTIONS] ``` -------------------------------- ### Example Forged Google JWT Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/jwt-cross-service-relay-attack.mdx This JSON object demonstrates a forged ID Token where the 'aud' claim has been altered to an attacker's project Client ID. This highlights the vulnerability if the 'aud' claim is not verified. ```json { "iss": "https://accounts.google.com", "azp": "1234987819201.apps.googleusercontent.com", "aud": "1234987819201.apps.googleusercontent.com", "sub": "10769150350006150715113082367", "at_hash": "HK6E_P6Dh8Y93mRNtsDB1Q", "hd": "example.com", "email": "jsmith@example.com", "email_verified": "true", "iat": 1353601026, "exp": 1353604926, "nonce": "0394852-3190485-2490358" } ``` -------------------------------- ### Testing JWT Alg None with OpenAPI Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/jwt-alg-none.mdx Command to scan an OpenAPI definition for the JWT 'alg none' vulnerability using VulnAPI. ```bash echo "eyJhbGciOiJSUzUxMiI..." | vulnapi scan openapi [OpenAPI_Path_Or_URL] --scans jwt.alg_none ``` -------------------------------- ### Testing HTTP TRACE/TRACK with cURL Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/security-misconfiguration/http-trace-track.mdx Use this cURL command to scan for misconfiguration.http_trace and misconfiguration.http_track vulnerabilities. ```bash vulnapi scan curl [url] -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans misconfiguration.http_trace --scans misconfiguration.http_track ``` -------------------------------- ### Test API Security Headers with GraphQL Source: https://github.com/cerberauth/vulnapi/blob/main/docs/best-practices/security-headers.mdx Use this VulnAPI command to scan a GraphQL endpoint for misconfigured HTTP security headers. ```bash vulnapi scan graphql --scans misconfiguration.http_headers [url] ``` -------------------------------- ### Upgrade VulnAPI via Docker Source: https://github.com/cerberauth/vulnapi/blob/main/docs/installation.mdx Command to pull the latest VulnAPI Docker image to upgrade. ```bash docker pull cerberauth/vulnapi ``` -------------------------------- ### Scan VAmPI API with OpenAPI Contract Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vampi.mdx Execute a scan on the VAmPI API using a pre-defined OpenAPI contract file. This allows for targeted vulnerability detection based on the API's specification. ```bash vulnapi scan openapi vampi-openapi.json ``` -------------------------------- ### Scan Non-GET Endpoint Source: https://github.com/cerberauth/vulnapi/blob/main/docs/first-scan.mdx Use -X to specify the HTTP method and -d to send a request body for non-GET requests. Ensure Content-Type is set appropriately. ```bash vulnapi scan curl https://api.example.com/login \ -X POST \ -d '{"username":"alice","password":"secret"}' \ -H "Content-Type: application/json" ``` -------------------------------- ### Limit Request Rate for Domain Discovery Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/cli/discover-domain.mdx Use the `--rate` flag to control the request rate per second during subdomain discovery. This helps manage network load and avoid overwhelming target systems. ```bash vulnapi discover domain example.com --rate 5/s ``` -------------------------------- ### Python: Verify JWT Algorithms and Audience Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/jwt-not-verified.mdx This Python code snippet shows how to decode a JWT, ensuring signature verification and specifying allowed algorithms and audience. The `verify=True` is the default behavior. ```python # Python example — always pass algorithms and verify=True (default) payload = jwt.decode(token, public_key, algorithms=["RS256"], audience="my-service") ``` -------------------------------- ### Test API Security Headers with cURL Source: https://github.com/cerberauth/vulnapi/blob/main/docs/best-practices/security-headers.mdx Use this cURL command with VulnAPI to scan for misconfigured HTTP security headers on a given URL. ```bash vulnapi scan curl [url] --scans misconfiguration.http_headers ``` -------------------------------- ### POST Request with JSON Body and Authorization Header Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/cli/scan-curl.mdx Execute a POST request with a JSON payload and an Authorization header. ```shell vulnapi scan curl https://api.example.com/endpoint \ -X POST \ -d '{"key":"value"}' \ -H "Authorization: Bearer " ``` -------------------------------- ### Scan for HTTP Method Override using OpenAPI Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/security-misconfiguration/http-method-allow-override.mdx Use this command to scan an OpenAPI definition for HTTP Method Override misconfigurations. ```bash vulnapi scan openapi [OpenAPI_Path_Or_URL] --scans misconfiguration.http_method_override ``` -------------------------------- ### Parse JWT with Valid Methods in Go Source: https://github.com/cerberauth/vulnapi/blob/main/docs/best-practices/jwt.mdx Configure your JWT library to explicitly reject the 'alg: none' method and only accept specified secure algorithms. This prevents unsecured tokens from being accepted. ```go // Go example using golang-jwt token, err := jwt.Parse(tokenString, keyFunc, jwt.WithValidMethods([]string{"RS256", "ES256"})) ``` -------------------------------- ### Testing JWT Alg None with GraphQL Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/jwt-alg-none.mdx Command to scan a GraphQL endpoint for the JWT 'alg none' vulnerability using VulnAPI. ```bash vulnapi scan graphql -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.alg_none [url] ``` -------------------------------- ### JWT Generate Command Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/cli/jwt-generate.mdx Generates a new JWT by re-signing an existing token with a specified algorithm and secret. The original claims are preserved. ```APIDOC ## vulnapi jwt generate ### Description Parse an existing JWT and re-sign it with a new algorithm and key. The original claims are preserved. Useful for manually crafting tokens to test JWT vulnerability mitigations. ### Usage ```sh vulnapi jwt generate --alg --secret ``` ### Parameters #### Path Parameters - **TOKEN** (string) - Required - The existing JWT to parse. #### Query Parameters - **--alg** (string) - Required - Signing algorithm. Accepted values: `HS256`, `HS384`, `HS512`, `RS256`, `RS384`, `RS512`, `ES256`, `ES384`, `NONE`. - **--secret** (string) - Required for HMAC algorithms - Secret key to sign the token. - **--aud** (string) - Optional - Audience claim (`aud`) to set in the token. ### Examples **Re-sign with a different HMAC secret** ```sh vulnapi jwt generate eyJhbGciOiJIUzI1NiI... --alg HS256 --secret newsecret ``` **Strip the signature (alg=none)** ```sh vulnapi jwt generate eyJhbGciOiJIUzI1NiI... --alg NONE ``` **Re-sign with a custom audience** ```sh vulnapi jwt generate eyJhbGciOiJIUzI1NiI... --alg HS256 --secret mysecret --aud myservice ``` ### Output The signed token string is printed to stdout. ### Exit Codes - **0**: Token generated successfully - **1**: Invalid input token, unknown algorithm, or missing required flags ``` -------------------------------- ### VulnAPI OpenAPI Scan Command Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/authentication-bypass.mdx Scan an OpenAPI definition for authentication bypass vulnerabilities using VulnAPI. Requires piping the token. ```bash echo "eyJhbGciOiJSUzUxMiI..." | vulnapi scan openapi [OpenAPI_Path_Or_URL] --scans generic.accept_unauthenticated_operation ``` -------------------------------- ### Scan for HTTP Method Override using GraphQL Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/security-misconfiguration/http-method-allow-override.mdx Use this command to scan a GraphQL endpoint for HTTP Method Override misconfigurations. ```bash vulnapi scan graphql --scans misconfiguration.http_method_override [url] ``` -------------------------------- ### Scan API using GraphQL Endpoint Source: https://github.com/cerberauth/vulnapi/blob/main/docs/index.mdx Perform a security scan on a GraphQL endpoint. Include the Authorization header with a valid JWT token for authentication. ```bash vulnapi scan graphql [GRAPHQL_ENDPOINT] -H "Authorization: Bearer [JWT_TOKEN]" ``` -------------------------------- ### Scan Local OpenAPI Spec with Token via Stdin Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/cli/scan-openapi.mdx Pipe a bearer token via stdin to authenticate scans against a local OpenAPI file. The token will be used for any security schemes that accept a bearer token. ```bash echo "" | vulnapi scan openapi ./openapi.json ``` -------------------------------- ### Scan GraphQL Endpoint with Bearer Token Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/cli/scan-graphql.mdx Use this command to scan a GraphQL endpoint when authentication is required via a Bearer token. Ensure the token is valid. ```bash vulnapi scan graphql https://api.example.com/graphql \ -H "Authorization: Bearer " ``` -------------------------------- ### Testing JWT Alg None with cURL Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/jwt-alg-none.mdx Command to scan a URL for the JWT 'alg none' vulnerability using VulnAPI with cURL. ```bash vulnapi scan curl [url] -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.alg_none ``` -------------------------------- ### Scan with JSON Report Output Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/output-formats.mdx Exports a structured JSON report to a file. Use this for automated processing or CI/CD artifact storage. ```bash vulnapi scan curl https://api.example.com/endpoint \ -H "Authorization: Bearer " \ --report-format json \ --report-transport file \ --report-file report.json ``` -------------------------------- ### Scan JWT KID Injection with OpenAPI Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/jwt-kid-injection.mdx Use the vulnAPI tool with OpenAPI definitions to scan for JWT KID injection vulnerabilities. ```bash echo "eyJhbGciOiJIUzI1NiI..." | vulnapi scan openapi [OpenAPI_Path_Or_URL] --scans jwt.kid_injection ``` -------------------------------- ### Scan JWT KID Injection with GraphQL Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/jwt-kid-injection.mdx Use the vulnAPI tool with GraphQL to scan for JWT KID injection vulnerabilities. ```bash vulnapi scan graphql -H "Authorization: Bearer eyJhbGciOiJIUzI1NiI..." --scans jwt.kid_injection [url] ``` -------------------------------- ### Verifying TRACE Method Remediation Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/security-misconfiguration/http-trace-track.mdx Test if the TRACE method is correctly disabled by sending a TRACE request and expecting a 405 Method Not Allowed response. ```bash curl -X TRACE https://api.example.com/ -i # Expected: HTTP/1.1 405 Method Not Allowed ``` -------------------------------- ### Output GraphQL Scan Results as JSON Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/cli/scan-graphql.mdx Configure the scan to output results in JSON format and save them to a specified file. This is ideal for programmatic processing of scan findings. ```bash vulnapi scan graphql https://api.example.com/graphql \ --report-format json \ --report-file report.json ``` -------------------------------- ### VulnAPI GraphQL Scan Command Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/authentication-bypass.mdx Scan a GraphQL endpoint for authentication bypass vulnerabilities with VulnAPI, including the Authorization header. ```bash vulnapi scan graphql -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans generic.accept_unauthenticated_operation [url] ``` -------------------------------- ### Express.js Middleware to Reject TRACE/TRACK Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/security-misconfiguration/http-trace-track.mdx Implement Express.js middleware to explicitly reject TRACE and TRACK HTTP methods, returning a 405 Method Not Allowed status. ```javascript app.use((req, res, next) => { if (req.method === 'TRACE' || req.method === 'TRACK') { return res.status(405).send('Method Not Allowed'); } next(); }); ``` -------------------------------- ### Scan with YAML Report Output Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/output-formats.mdx Exports a structured YAML report to a file. Contains the same data as JSON output. ```bash vulnapi scan curl https://api.example.com/endpoint \ --report-format yaml \ --report-transport file \ --report-file report.yaml ``` -------------------------------- ### Scan for HTTP Method Override using cURL Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/security-misconfiguration/http-method-allow-override.mdx Use this command to scan a URL for HTTP Method Override misconfigurations using cURL. ```bash vulnapi scan curl [url] --scans misconfiguration.http_method_override ``` -------------------------------- ### Secure X-Frame-Options Header for APIs Source: https://github.com/cerberauth/vulnapi/blob/main/docs/best-practices/security-headers.mdx The X-Frame-Options header set to 'DENY' protects against clickjacking attacks by preventing the API response from being displayed within a frame or iframe on another domain. ```http X-Frame-Options: DENY ``` -------------------------------- ### Override Multiple Security Schemes for Local OpenAPI Scan Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/cli/scan-openapi.mdx Provide multiple `--security-schemes` flags to override tokens for different security schemes, like `bearerAuth` and `apiKey`. ```bash vulnapi scan openapi ./openapi.json \ --security-schemes bearerAuth= \ --security-schemes apiKey= ``` -------------------------------- ### Scan Remote OpenAPI Spec with Token via Stdin Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/cli/scan-openapi.mdx Pipe a bearer token via stdin to authenticate scans against a remote OpenAPI file. This is useful for APIs hosted online. ```bash echo "" | vulnapi scan openapi https://api.example.com/.well-known/openapi.json ``` -------------------------------- ### Generate JWT with Algorithm NONE Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/cli/jwt-generate.mdx Strip the signature from an existing JWT by setting the algorithm to NONE. This is useful for testing systems that do not properly validate token signatures. ```bash vulnapi jwt generate eyJhbGciOiJIUzI1NiI... --alg NONE ``` -------------------------------- ### Test JWT Blank Secret with OpenAPI Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/jwt-blank-secret.mdx Pipe a JWT token to VulnAPI's scan command to test for the JWT blank secret vulnerability using an OpenAPI definition. ```bash echo "eyJhbGciOiJSUzUxMiI..." | vulnapi scan openapi [OpenAPI_Path_Or_URL] --scans jwt.blank_secret ``` -------------------------------- ### Scan GraphQL Endpoint Through Proxy Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/cli/scan-graphql.mdx Scan a GraphQL endpoint while routing traffic through a specified proxy server. This is useful for network environments with restrictions or for traffic inspection. ```bash vulnapi scan graphql https://api.example.com/graphql \ -H "Authorization: Bearer " \ --proxy http://localhost:8080 ``` -------------------------------- ### Apache Configuration to Disable TRACE Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/security-misconfiguration/http-trace-track.mdx Globally disable the HTTP TRACE method in Apache server configuration. ```apache TraceEnable Off ``` -------------------------------- ### Scan Authenticated Endpoint Source: https://github.com/cerberauth/vulnapi/blob/main/docs/first-scan.mdx Pass an Authorization header to scan endpoints that require authentication. Repeat -H for additional headers like API keys. ```bash vulnapi scan curl https://api.example.com/endpoint \ -H "Authorization: Bearer eyJhbGciOiJIUzI1NiJ9..." ``` ```bash vulnapi scan curl https://api.example.com/endpoint \ -H "Authorization: Bearer " \ -H "X-API-Key: " ``` -------------------------------- ### Scan JWT KID Injection with cURL Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/jwt-kid-injection.mdx Use the vulnAPI tool with cURL to scan for JWT KID injection vulnerabilities. ```bash vulnapi scan curl [url] -H "Authorization: Bearer eyJhbGciOiJIUzI1NiI..." --scans jwt.kid_injection ``` -------------------------------- ### Run JWT-Related Scans Source: https://github.com/cerberauth/vulnapi/blob/main/docs/reference/cli/scan-curl.mdx Filter scans to include only those related to JWT by using a wildcard pattern. ```shell vulnapi scan curl https://api.example.com/endpoint \ -H "Authorization: Bearer " \ --scans "jwt.*" ``` -------------------------------- ### Secure Cross-Origin Resource Sharing (CORS) Header for APIs Source: https://github.com/cerberauth/vulnapi/blob/main/docs/best-practices/security-headers.mdx Configure the Access-Control-Allow-Origin header to specify which trusted domains are permitted to access API resources, preventing unauthorized access. ```http Access-Control-Allow-Origin: https://trusted-domain.com ``` -------------------------------- ### cURL Command for JWT Null Signature Scan Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/jwt-null-signature.mdx Use this cURL command with VulnAPI to scan a target URL for the JWT null signature vulnerability. Ensure the Authorization header is correctly formatted. ```bash vulnapi scan curl [url] -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.null_signature ``` -------------------------------- ### Generate Secure HMAC Secret Source: https://github.com/cerberauth/vulnapi/blob/main/docs/best-practices/jwt.mdx Generate a cryptographically secure 256-bit random secret for HMAC signing algorithms. This ensures the secret is not guessable or weak. ```bash # Generate a secure 256-bit secret (Linux/macOS) openssl rand -base64 32 ``` -------------------------------- ### Scan JWT Weak Secret with GraphQL Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/jwt-weak-secret.mdx Employ this VulnAPI command to scan for JWT Weak Secret vulnerabilities in a GraphQL endpoint. Provide the URL and include the Authorization header with a bearer token. ```bash vulnapi scan graphql -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.weak_secret [url] ``` -------------------------------- ### Test JWT Blank Secret with cURL Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/jwt-blank-secret.mdx Use this cURL command with VulnAPI to scan for the JWT blank secret vulnerability against a specific URL. ```bash vulnapi scan curl [url] -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans jwt.blank_secret ``` -------------------------------- ### Header of Vulnerable JWT (None Algorithm) Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/jwt-alg-none.mdx The header of a JWT that is vulnerable, explicitly setting the algorithm to 'none'. ```json { "alg": "none", "typ": "JWT" } ``` -------------------------------- ### Remediation: Secure Cookie Attributes Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/security-misconfiguration/http-cookies.mdx Shows a correctly configured Set-Cookie header with all essential security flags set. This includes HttpOnly, Secure, SameSite, Max-Age, and Path. ```http Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Strict; Max-Age=3600; Path=/ ``` -------------------------------- ### JWT KID Header Injection - Path Traversal Variant Source: https://github.com/cerberauth/vulnapi/blob/main/docs/vulnerabilities/broken-authentication/jwt-kid-injection.mdx Set the 'kid' header to '/dev/null' to make the server read an empty file as the signing key, which can be matched with an empty HMAC secret. ```json { "alg": "HS256", "typ": "JWT", "kid": "/dev/null" } ```