SBN

Tiredful API Part One

In this post, I will explain how to solve Tiredful-API. Let’s start.

TIREDFUL-API is an intentionally designed broken web application based on REST API. The App aims to teach developers/QA/security professionals, flaws that are generally present in web services (REST API) due to poor or insecure coding practices.

Please find below the screenshot of Tiredful-API –


In the current version, Tiredful-API includes following vulnerabilities for practice –

  • Information Disclosure
  • Insecure Direct Object Reference
  • Access Control
  • Throttling
  • SQL Injection (SQLite)
  • Cross Site Scripting.

Tiredful-API can be set up in two ways:

  1. Running the server on the local system
  2. Docker Container

Running the server on the local system

In this method, the Tiredful-API can be set up on the local system by downloading the files from the official source. Tiredful-API can be downloaded from here. Once you have downloaded the setup, extract the zip file, and you should see the files shown below –

Click on the Tiredful-API folder for the files shown below –


We need to run manage.py file for starting the API web server. The Tiredful-API is developed using Django Framework and Django Rest Framework, so one should have Django and Python installed on the local system. Once you have both the software installed, the web server can be simply started using the command –

python manage.py runserver

If static files fail to load, then just execute the above command with the insecure flag. The command with the insecure flag is – python manage.py runserver –insecure

This should start the web server on the local system. By default, the web server runs on port number 8000.

Docker Container

Tiredful-API can be run via Docker. Execute the following command to run via Docker:

docker build -t tiredful.

docker run -p 8000:8000 –name tiredful -it tiredful

Browse (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Nitesh Malviya. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/8FQGd2JTZwY/