Damn Vulnerable RESTaurant: Open-source API service designed for learning
Damn Vulnerable RESTaurant is an open-source project that allows developers to learn to identify and fix security vulnerabilities in their code through an interactive game.
“I wanted to create a generic playground for ethical hackers, developers, and security engineers where they could identify, exploit, or fix vulnerabilities. Furthermore, security engineers could implement new vulns and test their detection tools because the Python FastAPI framework allows quick development,” Krzysztof Pranczk, the creator of Damn Vulnerable RESTaurant, told Help Net Security.
How Damn Vulnerable RESTaurant works
Damn Vulnerable RESTaurant is managed by a Chef who has learned that threat actors compromised his restaurant’s API and system. He suspects involvement from a rival restaurant.
The challenge aims to identify and remediate vulnerabilities using the provided clues. Participants will explore the attack methodologies and fix security flaws to protect the application. By the conclusion of this challenge, participants will discover the attacker’s identity.
Participants may also opt to assume the role of an attacker, exploiting existing vulnerabilities. The application features numerous security weaknesses beyond those outlined in the challenge, offering multiple routes to obtain root access, starting as an unauthenticated API user.
The application uses the Python FastAPI framework to develop the restaurant’s API and incorporates a PostgreSQL database. The API and the database are containerized using Docker, allowing for fast deployment and configuration with Docker Compose.
Future plans and download
“I plan to improve the app and add new vulnerabilities over time. I’m also improving the learning experience and making it as user-friendly (developer-friendly) as possible. For example, recently, I added GitHub Codespaces instructions, which allow you to play a game directly in the browser with just a few clicks,” Pranczk concluded.
Damn Vulnerable RESTaurant is available for free on GitHub.
Must read:
- 15 open-source cybersecurity tools you’ll wish you’d known earlier
- 20 essential open-source cybersecurity tools that save you time