API hacking lab #1 (Low), missing API path

[Crypto-Cat]

Are the new API labs working as intended? The low difficulty suggests changing the API call /vulnerabilities/api/v2/user/ to /vulnerabilities/api/v1/user/ but both of these URLs are 404 and looking in the source code, there doesn't seem to be any files corresponding to v1 or v2:

ls /var/www/html/DVWA/vulnerabilities/api/
bootstrap.php  composer.lock    help       openapi.yml  README.md  src
composer.json  gen_openapi.php  index.php  public       source

[digininja]

They should be working. You won't see the files as I'm using rewrite rules to map requests into other bits of code.

[Crypto-Cat]

Just to confirm, I should be able to access http://localhost/vulnerabilities/api/v2/user/ or http://localhost/vulnerabilities/api/v1/user/ in the browser by default?

Also, I think when browsing to http://localhost/DVWA/vulnerabilities/api/ the console shouldn't have the 404 Not Found error by default (I'm expecting some data, but just different data to v1). I tried to delete the whole DVWA folder and run a fresh installation but seems to be same 😕

[digininja]

Just realised, mod_rewrite won't be enabled by default. something like a2enmod rewrite will do it.

I'll update the docs and add a check for it later.

[Crypto-Cat]

I also realised the JS calls http://localhost/vulnerabilities/api/v2/user/ but my installation (using install script from repo) has this file at http://localhost/DVWA/vulnerabilities/api/v2/user/

[digininja]

The problem with lone development. It is hardcoded to my paths and I forgot mod_rewrite isn't enabled by default.

I've got fixes, I'll get the wired in and pushed for you to test.

[digininja]

I've just committed a load of stuff. The paths should now be relative not fixed and you'll get an error if mod_rewrite is not enabled which will point you at the README which tells you how to enable it.

The setup page also now checks for mod_rewrite.

It all needs tidying up, but it should at least work.

[Crypto-Cat]

Hmmm so I did a fresh install again (mod_rewrite is enabled), using the Install-DVWA.sh script but the problem remains for me.

I also tried to launch with the docker-compose option and this time the API call succeeds but doesn't retrieve the expected data.

Warning: require(vendor/autoload.php): Failed to open stream: No such file or directory in /var/www/html/vulnerabilities/api/bootstrap.php on line 2

Fatal error: Uncaught Error: Failed opening required 'vendor/autoload.php' (include_path='.:/usr/local/lib/php') in /var/www/html/vulnerabilities/api/bootstrap.php:2 Stack trace: #0 /var/www/html/vulnerabilities/api/public/index.php(3): require() #1 {main} thrown in /var/www/html/vulnerabilities/api/bootstrap.php on line 2

[digininja]

Ye, I just found that one. It is more stuff I've got installed without realising it.

Go into the api directory and try following these instructions.

https://github.com/digininja/DVWA/tree/master/vulnerabilities/api

I need to work out how much of this should be committed for it to just work, but how much needs to be machine dependent.

[digininja]

I think I might be there with it. The Docker image is now working correctly and I've put checks in to both the setup script and the API pages to warn if mod_rewrite is not installed and if you've not installed the vendor files.

Hopefully there is enough info and checks for you to get it working now.