Why I Built VVMA - A Vulnerable API for Learning AppSec
VVMA – Very Vulnerable Management API 🎯
VVMA, for short, is an intentionally insecure RESTful API built using Node.js. It was created to simulate real-world API vulnerabilities and serve as a learning playground for security engineers, developers, and beginners.
Why I Built It? 🤔
I wanted to build something useful, not just for myself, but for the AppSec community. This was already a plan since 2024, and while brainstorming ideas with a friend, the idea to build a vulnerable API came up since we are both skilled in API security. And then we thought, “Why not go for this?”
We saw so much value in the idea, like improving our source code review skills and understanding how vulnerabilities are introduced into APIs, and personally for me, getting better at backend development. Also, little to no labs are built by African women in the offensive security space, so we took up that challenge.
Hear me out, instead of only using what others have built (we Africans), it’s important we also build for ourselves, and make our works known as well. This thought stayed with me throughout the project development.
Our Process 🔄
Once we agreed on the project, we went into the planning phase, brainstorming the features and vulnerabilities to introduce, choosing our tech stack, and setting up timelines, assigning responsibilities, and then the actual development. Before all these, we had to think of what vulnerable API to build since there are a number of existing APIs; we went for a management system.
Here’s what we used:
1
2
3
4
5
6
# Tech Stack
Node.js + Express
MySQL
OpenAPI (Swagger) for documentation
Mailhog for simulating email delivery
GitHub
The project took a little over a month to complete due to a few unpredictable delays, but it was a worthwhile journey of collaboration and learning. While my teammate had more experience with development, we handled tasks equally, and through the assistance of AI, I was able to resolve complex issues from my end.
🔐 Key Features and Vulnerabilities
VVMA includes common API security vulnerabilities to help learners explore and test their understanding of secure coding practices.
Some of the issues and features include:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# Security Vulnerabilities
Weak Password Policy
Broken Authentication
Broken Object Level Authorization (BOLA)
Broken Function Level Authorization (BFLA)
Weak JWT Implementation
Broken Object Property Level Authorization (BOPLA)
SQL Injection
Weak Secret Key
Email Enumeration
Server-Side Request Forgery (SSRF)
Improper Inventory Management
No Rate Limiting
Plaintext Password Storage
These are in line with the OWASP API Security Top 10 and designed to mimic realistic vulnerabilities that developers and security professionals face.
🧠 A Key Lesson Learned
One lesson I took from this experience is that building appsec projects teaches you far more than just testing them.
Understanding how a vulnerability is created, in the code, flow, and logic, helped me move from just recognizing these issues to understanding them better. While I’m still learning, it helped improve my secure code review skills.
Aside from the technical lessons, working with someone else, sharing ideas, debugging together, and planning taught me how valuable teamwork is when you’re intentional about learning together. We had mutual understanding and never once had issues in terms of communication.
🚀 Launch Outcome
Once we were done, we announced VVMA on LinkedIn and the response was encouraging. The second post got over 50,000+ impressions and with 59 stars on GitHub. I also see people using it and even building similar projects. The kind words, feedback, and encouragement were also there. We’re grateful.
🔮 What’s Next?
Walkthroughs and usage guides for VVMA are already out.
You’re welcome to contribute to the project, suggest new ideas, or help us improve it.
This isn’t the final look for VVMA. We’re working on adding a better UI, more features, and potentially deploying a hosted version.
💭 Final Thoughts
This is just the beginning. I have a few more projects in line, and I’m excited to keep building and sharing with the cybersecurity community.
Thanks for reading! I just thought to share a little about why VVMA exists, how it was built, and what I learned from the journey. ❤️
🔗 Useful Links
- 👉 GitHub Repository
- 📚 Walkthroughs: