I summarize the article about the Very Vulnerable Management API (VVMA), detailing the intentionally introduced OWASP Top 10 API security risks and specific vulnerabilities found across registration, login, password reset, group and user management, and token handling. The piece highlights weaknesses such as weak password policies, email enumeration, JWT issues, no rate limiting, SQL injection, plaintext storage, and various authorization flaws, along with suggested mitigations.
#AbigailInyang #VVMA #JWT #SQLInjection #EmailEnumeration
#AbigailInyang #VVMA #JWT #SQLInjection #EmailEnumeration
Keypoints
- VVMA is a deliberately vulnerable RESTful API for learning and testing security risks.
- Weak password policies and plaintext password storage are demonstrated across register and reset endpoints.
- Email enumeration vulnerabilities reveal error messages that disclose registered emails.
- JWT weaknesses include weak secrets, poor implementation, and token manipulation risks.
- Multiple authorization flaws (BOLA, BOPLA, BFLA) and attacks like SQL injection are shown with remediation focus.
Read More: https://relaaxx.medium.com/very-vulnerable-management-api-writeup-56fe55ef28f8