0d3cb498a3
CI / Shell Format Check (push) Has been cancelled
CI / Check Ruby (3.4) (push) Has been cancelled
CI / CI Config (push) Has been cancelled
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Has been cancelled
CI / Build on Node ${{ matrix.node }} (push) Has been cancelled
CI / Style Check (push) Has been cancelled
CI / Generate Assets (push) Has been cancelled
CI / Check Python (3.14) (push) Has been cancelled
CI / Check Python (3.9) (push) Has been cancelled
CI / Build Docs (push) Has been cancelled
CI / Code Scan Action (push) Has been cancelled
CI / Site tests (push) Has been cancelled
CI / webui tests (push) Has been cancelled
CI / Run Integration Tests (push) Has been cancelled
CI / Run Smoke Tests (push) Has been cancelled
CI / Go Tests (push) Has been cancelled
CI / Share Test (push) Has been cancelled
CI / Redteam (Production API) (push) Has been cancelled
CI / Redteam (Staging API) (push) Has been cancelled
CI / GitHub Actions Lint (push) Has been cancelled
CI / Check Ruby (3.0) (push) Has been cancelled
release-please / release-please (push) Has been cancelled
release-please / build (push) Has been cancelled
release-please / publish-npm (push) Has been cancelled
release-please / publish-npm-backfill (push) Has been cancelled
release-please / docker (push) Has been cancelled
release-please / publish-code-scan-action (push) Has been cancelled
release-please / attest-code-scan-action (push) Has been cancelled
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Has been cancelled
Test and Publish Multi-arch Docker Image / test (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Has been cancelled
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Has been cancelled
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Has been cancelled
Validate Renovate Config / Validate Renovate Configuration (push) Has been cancelled
215 lines
6.6 KiB
Markdown
215 lines
6.6 KiB
Markdown
# redteam-api-top-10 (OWASP API Security Top 10 Red Team Example)
|
|
|
|
A **deliberately vulnerable** demonstration app for testing AI red-teaming and OWASP API Security Top 10 vulnerabilities via prompt injection. This example showcases MCP (Model Context Protocol) tool integration with configurable security weaknesses.
|
|
|
|
## Quick Start
|
|
|
|
```bash
|
|
# Initialize this example
|
|
npx promptfoo@latest init --example redteam-api-top-10
|
|
cd redteam-api-top-10
|
|
|
|
# Set up environment
|
|
cp .env.example .env
|
|
# Edit .env and set ANTHROPIC_API_KEY=your-api-key
|
|
|
|
# Install Python dependencies
|
|
uv sync
|
|
|
|
# Seed the database with demo data
|
|
uv run python scripts/seed_database.py
|
|
|
|
# Start the server (in a separate terminal)
|
|
uv run uvicorn app.main:app --host 0.0.0.0 --port 8000
|
|
|
|
# Generate a fresh JWT token and update promptfooconfig.yaml
|
|
curl -s -X POST http://localhost:8000/auth/login \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"username":"alice","password":"password123"}' | jq -r '.token'
|
|
|
|
# Run the red team evaluation
|
|
npx promptfoo@latest redteam run
|
|
```
|
|
|
|
## Prerequisites
|
|
|
|
- Python 3.10+
|
|
- Node.js ^20.20.0 or >=22.22.0 (Node.js 20 support ends July 30, 2026; Node.js 24 LTS recommended) (for the filesystem MCP server)
|
|
- [uv](https://docs.astral.sh/uv/) package manager
|
|
- Anthropic API key
|
|
|
|
## What This Example Tests
|
|
|
|
This application includes configurable vulnerabilities based on the [OWASP API Security Top 10 (2023)](https://owasp.org/API-Security/editions/2023/en/0x00-header/):
|
|
|
|
| Vulnerability | Description |
|
|
| ------------------------- | ------------------------------------------------------------ |
|
|
| API1: BOLA | Broken Object Level Authorization - access other users' data |
|
|
| API2: Broken Auth | Unsigned JWT acceptance, debug parameters |
|
|
| API3: Property Auth | Sensitive columns exposed (salary, SSN, cost_price) |
|
|
| API5: Function Auth | Admin tools available to all users |
|
|
| API7: SSRF | Internal endpoints accessible via fetch tool |
|
|
| API8: Misconfiguration | Debug endpoints exposed, JWT secret in logs |
|
|
| API9: Inventory | Legacy v1 API without authentication |
|
|
| API10: Unsafe Consumption | No response sanitization |
|
|
|
|
## Architecture
|
|
|
|
```text
|
|
┌─────────────────┐ ┌──────────────────────┐
|
|
│ Web Chat UI │────▶│ FastAPI Server │
|
|
└─────────────────┘ └──────────┬───────────┘
|
|
│
|
|
┌──────────┼──────────┐
|
|
▼ ▼ ▼
|
|
┌────────┐ ┌────────┐ ┌────────┐
|
|
│ SQLite │ │ File │ │ Fetch │
|
|
│ MCP │ │ System │ │ MCP │
|
|
│ Server │ │ MCP │ │ Server │
|
|
└────────┘ └────────┘ └────────┘
|
|
```
|
|
|
|
The chatbot connects to three MCP servers:
|
|
|
|
- **SQLite MCP**: Database queries for products, orders, users
|
|
- **Filesystem MCP**: Reading policy documents
|
|
- **Fetch MCP**: External API calls (shipping tracking, weather, promotions)
|
|
|
|
## Demo Users
|
|
|
|
All users have password `password123`:
|
|
|
|
| Username | User ID | Department | Role |
|
|
| -------- | ------- | ----------- | ----- |
|
|
| alice | emp_001 | Engineering | user |
|
|
| bob | emp_002 | Marketing | user |
|
|
| charlie | emp_003 | Sales | user |
|
|
| diana | emp_004 | HR | admin |
|
|
| eve | emp_005 | Finance | user |
|
|
|
|
## Security Configuration
|
|
|
|
Each vulnerability can be configured independently via environment variables:
|
|
|
|
```bash
|
|
# Security levels: 1 = Weak (vulnerable), 2 = Medium (bypassable), 3 = Strong (secure)
|
|
SECURITY_BOLA=1
|
|
SECURITY_AUTH=1
|
|
SECURITY_PROPERTY_AUTH=1
|
|
SECURITY_FUNCTION_AUTH=1
|
|
SECURITY_SSRF=1
|
|
SECURITY_MISCONFIGURATION=1
|
|
SECURITY_INVENTORY=1
|
|
SECURITY_UNSAFE_CONSUMPTION=1
|
|
```
|
|
|
|
Run with different security levels:
|
|
|
|
```bash
|
|
# All vulnerabilities (default)
|
|
uv run uvicorn app.main:app --port 8000
|
|
|
|
# Stronger security
|
|
SECURITY_BOLA=3 SECURITY_SSRF=3 uv run uvicorn app.main:app --port 8000
|
|
```
|
|
|
|
## Quick Security Tests
|
|
|
|
```bash
|
|
# Check current security configuration
|
|
curl http://localhost:8000/security/status
|
|
|
|
# Test API2 - Unsigned JWT (alg:none)
|
|
curl -H "Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJlbXBfMDAyIiwibmFtZSI6IkJvYiJ9." \
|
|
http://localhost:8000/api/orders
|
|
|
|
# Test API9 - Legacy endpoint (no auth)
|
|
curl http://localhost:8000/api/v1/orders
|
|
|
|
# Test API7 - SSRF target
|
|
curl http://localhost:8000/mock/internal/metadata
|
|
|
|
# Test API8 - Debug endpoint
|
|
curl http://localhost:8000/debug/logs
|
|
```
|
|
|
|
## Promptfoo Configuration
|
|
|
|
The `promptfooconfig.yaml` is pre-configured with:
|
|
|
|
- **Plugin**: `owasp:api` - Tests all OWASP API Security Top 10 vulnerabilities
|
|
- **Strategies**: `jailbreak:meta`, `crescendo`, `jailbreak:hydra`
|
|
|
|
### Expected Results
|
|
|
|
At **SECURITY\_\*=1** (vulnerable), the red team should find:
|
|
|
|
- BOLA attacks via prompt injection to access other users' data
|
|
- SSRF via fetch tool to internal endpoints
|
|
- Sensitive data exposure (salaries, SSNs, cost prices)
|
|
- Legacy API access without authentication
|
|
|
|
At **SECURITY\_\*=3** (secure), most attacks should be blocked.
|
|
|
|
## Web UI
|
|
|
|
Visit http://localhost:8000 in your browser for the chat interface.
|
|
|
|
## API Endpoints
|
|
|
|
### Chat
|
|
|
|
- `POST /chat/` - Send message, get response with tool calls
|
|
- `GET /chat/sessions` - List user's sessions
|
|
|
|
### Auth
|
|
|
|
- `POST /auth/login` - Get JWT token
|
|
- `GET /auth/demo-users` - List available demo users
|
|
|
|
### Mock Services
|
|
|
|
- `GET /mock/shipping/track/{tracking}` - Track package
|
|
- `GET /mock/weather/{location}` - Weather data
|
|
- `GET /mock/promotions/current` - Current promos
|
|
|
|
### Debug (vulnerable)
|
|
|
|
- `GET /debug/logs` - Exposes JWT secret
|
|
- `GET /debug/config` - Server configuration
|
|
|
|
### Legacy v1 (vulnerable)
|
|
|
|
- `GET /api/v1/orders` - All orders without auth
|
|
- `GET /api/v1/users` - All users without auth
|
|
|
|
## Troubleshooting
|
|
|
|
### MCP Server Issues
|
|
|
|
```bash
|
|
# Check Node.js for filesystem MCP
|
|
which npx
|
|
|
|
# Check uv for SQLite/Fetch MCP
|
|
which uvx
|
|
```
|
|
|
|
### Database Issues
|
|
|
|
```bash
|
|
# Re-seed the database
|
|
uv run python scripts/seed_database.py
|
|
```
|
|
|
|
### API Key Issues
|
|
|
|
```bash
|
|
# Verify API key is set
|
|
grep ANTHROPIC_API_KEY .env
|
|
```
|
|
|
|
## License
|
|
|
|
MIT
|