APIGOAT Educational

A deliberately vulnerable RESTful API showcasing OWASP API Security Top 10 (2023) vulnerabilities. Perfect for penetration testing training, secure coding education, and API security research.

Get Started View on GitHub
APIGOAT Logo
10 OWASP Vulnerabilities
11 Microservices
~60 API Endpoints
1 Click Setup

Why APIGOAT?

Educational Excellence

Learn API security through hands-on exploitation of real-world vulnerability patterns following OWASP API Top 10 2023.

Cloud-Native Ready

Fully containerized with Docker Compose. One command launches 11 microservices with MongoDB, zero configuration needed.

Safe Learning Environment

Isolated Docker network ensures safe exploitation practice without risk to production systems or real data.

Real Code Examples

Study actual vulnerable code patterns and their secure alternatives. Perfect for code review training.

Tool Testing Platform

Test security scanners like Burp Suite, OWASP ZAP, and custom fuzzing tools against known vulnerabilities.

CTF Ready

Perfect for Capture The Flag competitions, security workshops, and API penetration testing labs.

OWASP API Top 10 (2023) Coverage

Each API demonstrates a specific OWASP vulnerability

1

Broken Object Level Authorization (BOLA)

Access other users' files without ownership validation. Demonstrates horizontal privilege escalation.

2

Broken Authentication

Clear-text credentials over HTTP, continuous login attempts, token in request body instead of headers.

3

Broken Object Property Level Authorization

Expose sensitive properties like isAdmin flag and private posts to non-privileged users.

4

Unrestricted Resource Consumption

No rate limiting, no pagination - fetch unlimited data causing DoS vulnerability.

5

Broken Function Level Authorization

Authentication middleware completely bypassed - create resources without any token.

6

Unrestricted Access to Business Flows

View all flight bookings without authentication - sensitive business data exposed.

7

Server Side Request Forgery (SSRF)

User-controlled URLs in server requests - access internal services and cloud metadata.

8

Security Misconfiguration

Permissive CORS policy allowing requests from any origin - XSS and data theft risks.

9

Improper Inventory Management

Undocumented endpoints with unknown functionality - hidden attack surface.

10

Unsafe Consumption of APIs

Hardcoded API keys, unsanitized external API responses - credential leakage and injection risks.

Technology Stack

Node.js 18
Express.js
MongoDB 7.0
Docker
Mongoose ORM
JWT + bcrypt
Bootstrap 5
Ubuntu 22.04

Quick Start

Get started in under 60 seconds

Or Build from Source:

Windows (PowerShell)

git clone https://github.com/yusufarbc/apigoat.git
cd apigoat
.\start.ps1

Linux / Mac

git clone https://github.com/yusufarbc/apigoat.git
cd apigoat
docker build -t apigoat:all . && docker run -d --name apigoat-all -p 8000-8010:8000-8010 -p 27017:27017 apigoat:all

What Happens?

  • Single Docker container builds (Node.js 18 + MongoDB 7.0)
  • Embedded MongoDB starts automatically
  • 10 vulnerable APIs launch on ports 8001-8010
  • Web interface opens at port 8000
  • Ready for exploitation in isolated environment

Ready to Learn API Security?

Start your journey into API penetration testing and secure coding today

Star on GitHub