Introduction
This was a group project where the team developed different security features/hardening techniques for a Web Application Programming Interface (API) using Flask. We are required to create two versions of the project. One vulnerable version and the other secured version where we have to fix all the issues from the vulnerable version based on the OWASP Top 10 API security.
Members:
- Jingling
- Laraine
- Jonathan
- Owen
Assigned OWASP API Vulnerability
| Name | Vulnerability |
|---|---|
| Jingling | API1: Broken Object Level Authorization API6: Mass Assignment |
| Laraine | API2: Broken User Authentication API5: Broken Function Level Authorization |
| Jonathan | API3: Excessive Data Exposure API7: Security Misconfiguration |
| Owen | API4: Lack of Resources and Rate Limiting API8: Injection |
Tools Used:
- Postman (test API)
- SQLite (open database)
Vulnerable Version
Requirements:
pip install Flask
pip install Flask-Mail
pip install Flask-JWT-Extended
pip install Flask-SQLAlchemy
pip install flask-Marshmallow
pip install flask-rest-paginate
pip install itsdangerous
Scanning Vulnerabilities:
- Static
- Dynamic
Secured Version
Requirements:
pip install Flask
pip install Flask-Mail
pip install Flask-JWT-Extended
pip install Flask-SQLAlchemy
pip install Flask-RESTful
pip install Flask-Limiter
pip install flask-Marshmallow
pip install flask-talisman
pip install itsdangerous
pip install twilio
pip install bcrypt
pip install pyotp
pip install cryptography
pip install APScheduler
pip install safety
pip install pyOpenSSL