with docker or installing it manually I can not run vapi

bug㉿kali)-[/var/www/html/vapi]
└─$ sudo docker-compose up -d
WARNING: The APP_NAME variable is not set. Defaulting to a blank string.
WARNING: The PUSHER_APP_KEY variable is not set. Defaulting to a blank string.
WARNING: The PUSHER_APP_CLUSTER variable is not set. Defaulting to a blank string.
vapi_db_1 is up-to-date
Starting vapi_www_1 ...
Starting vapi_www_1 ... done

later localhost://vapi and

got

The connection was reset

The connection to the server was reset while the page was loading.

The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer’s network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

in the old version I managed to go to API5 and it started to give an error.
After the update, When creating the user for testing, i get this feedback in postman;

{
"errorInfo": [
"23000",
1062,
"Duplicate entry '' for key 'a_p_i1_users.username'"
]
}

API 6 returns error while creating users

The APK in the API 3 challenge has a older hard-coded url , user should be able to change the base url before logging in to the application. So an address from Local Network can also be put i.e. 192.x.x.x where the Lab instance is running.

Hello, I would like to bring to your attention the fact that the syntax of tests in postman has changed and the tests are no longer working.

The php/apache base image in the dockerfile has some known vulnerabilities in it. Upgrading to the latest version(php:8.1.2-apache) removes the vulnerabilities but breaks the code. I have not had time to dig into the errors yet to see what it would take to get it to work with the latest php docker image.

This would be an enhancement. Has any thoughts been given to creating a helm chart for deploying to Kubernetes?

Hello, first, thank you for the great practice API!

I came across vAPI through an API hacking course hosted by APIsec. I, and a lot of other students, are having a lot of fun with it, and learning a lot, but many students have run into a problem with the Authorization-Token header. The documentation at http://localhost/vapi always references ``{{apiX_auth}}` but never specifies what format the auth token is in. I personally took about 4 hours trying to figure it out and eventually looked up this repo, read the README, and realized you have a Postman import then generates these tokens for you.

I've completed the course, and so I've had quite a few other students ask me about this when they get stuck as well. Some students figure it out just by guessing since you essentially use the Authorization: Basic {{base64}} scheme; and those students will ask me how I figured it out, or if they just didn't understand something properly. Then I've seen other students who were also stuck for hours, like me, just give up and ask.

I gave four passes at trying to code beautify vapi/resources/views/index.html to then manually add a section on the auth token format as a PR, but with each attempt, it broke the page styling or JS. I'm not familiar with redoc at all to know if there is a way to put a section at the beginning of the documentation, but if there is would you perhaps add that section? Worst case, though it wouldn't be as immediately obvious, do you think we could add a section about it in the README and vapi/resources/views/welcome.html?

If you want to go for the latter, or you want me to try and add a section without beautifying the index page code, let me know and I don't mind submitting a PR for it. Thank you again for all your work!

please how to configure apk "the Company App"?
configure http://localhost/vapi/
then I tried to register a user on the App but nothing happens!

I noticed that there was an update to the App. In the previous version I logged in with
testuser:test123

Hi,

I am new to API vulnerability checking using vapi. I am using docker-compose to run the vapi application in my local as shown below:

The first issue is that I cannot access the documentation of vapi using http://loclahost:8082/vapi even though docker is running.
The second issue, since vapi is running locally, I am using postman to access the APIs and always receive the following error:

Would you please provide any help on this? Thanks.

Just clone the latest from github, with next command sudo docker-compose up -d, I was lead to following errors.

Good day,

I am still fairly new with Docker, and I am very interested in doing this challenge.

Whenever I run "docker-compose up -d " I do not get any issues, the issues arise when I try to access "http://localhost/vapi/" it gives me a Forbidden error.

I was able to run it before but I do not remember what I did

I'm not sure where to head from there, does anyone know what I can do from here?
I tried to run it as sudo but it did not helped at all.

Thank you

Can I add my writeup link here ? I have tried to explain it according to API Security Top 10 2023 for the version 1.3.

Hello,
Apologies if this is the wrong place to ask this.
Working on api1 problem currently and when trying to get user it's asking for an authHeader. However, when I create user, it doesn't return one. And there's no login endpoint for api1 either. Is there something I'm missing? Is this part of the task?

I try automatic install with docker-compose up -d but it fails in dns resolution

getKey.php

if($_SERVER["HTTP_ORIGIN"]=="")
    {
        header("Access-Control-Allow-Origin: *");
    }
    else{
        header("Access-Control-Allow-Origin: ".$_SERVER["HTTP_ORIGIN"]);
        $row["flag"]=base64_decode("ZmxhZ3thcGk3X2U3MWI2NTA3MTY0NWUyNGVkNTBhfQ==");
    }
......
if(mysqli_num_rows($result) > 0)
    {
        http_response_code(200);
        $row=$result->fetch_assoc();
        $row["success"]="true";
        print json_encode($row);
    }

 $result->fetch_assoc() overwrite $row,$row["flag"] is null.

I am trying to run this on https://labs.play-with-docker.com
My process :
1)clone
2)cd in vapi and run docker command

But /vapi page does not load ?

Hello, I'm not sure if this is the correct place to seek help. As I have been tackling this for a while. I am on API1 challenge and I have successfully created the user with a POST request. The test script is supposed to set an environment variable for {{api1_auth}} as it sends the request from what I understand.

When I moved to do GET user request, it seems like the ENV is not set. How can I resolve this? Any advice would be appreciated.

After deploying on GKE I constantly received error messages related to the DB when sending requests.
After verifying that it was not connectivity or a DB issue I suspected it is a configuration issue.
I've constantly received an error message:

Access denied for user 'forge'@'' (using password: NO)

I tried to look for the .env file which is supposed to set the correct value into that database.php file but haven't found one.
stumbled upon this StackOverflow thread:
https://stackoverflow.com/questions/42148086/laravel-5-error-sqlstatehy000-1045-access-denied-for-user-forgelocalhost

After changing manually the configuration in the database.php file to the correct values everything started working as it should...

Hi,

There is a missing secret object in the charts directory.
Without it the deployment fails.
After creating the template manually the deployment succeeds.
Example:

kind: Secret
apiVersion: v1
metadata:
  name: {{ include "vapi.fullname" . }}
data:
  username: {{ .Values.mysql.auth.username }}
  password: {{ .Values.mysql.auth.password | b64enc }}

Hey now! Great resource! I'd love to see your collection + environment setup in a public workspace so that I can use as part of trainings and demos. I went ahead and setup one to show you what is possible -- would prefer if it was setup under your own account so you could evolve the collections. If / when you setup, let me know and I'll remove mine and I'll just fork your collections.

So this script that is run to initialize the MySQL database in helm install is not completing because the script calls for curl, which is not in the docker image; see logs below.

Create vapi db ...
mysql: [Warning] Using a password on the command line interface can be insecure.
2024-02-06T14:04:04.303299Z 10 [Warning] [MY-013360] [Server] Plugin mysql_native_password reported: ''mysql_native_password' is deprecated and will be removed in a future release. Please use caching_sha2_password instead'
Curling vapi.sql ...
/docker-entrypoint-initdb.d/my_init_script.sh: line 6: curl: command not found

The command '/bin/sh -c apt-get update && apt-get install -y libzip-dev && apt-get install -y zlib1g-dev && rm -rf /var/lib/apt/lists/* && docker-php-ext-install zip' returned a non-zero code: 100
ERROR: Service 'www' failed to build : Build failed