Vulnerability-as-a-Service (VaaS) Model

Chimera has transitioned to a “Vulnerability-as-a-Service” model, where the API is self-documenting and provides educational context directly to security researchers and automated tools.

Core Components

1. Centralized Vulnerability Registry

Located at apps/vuln-api/app/utils/vuln_registry.py, this registry is the single source of truth for all vulnerabilities in the lab. It maps unique IDs (e.g., CHM-BANK-001) to metadata including:

  • Name & Description
  • OWASP Top 10 Category
  • CWE ID
  • Severity & Difficulty
  • Vulnerable Endpoint
  • SecurityConfig Toggle Key

2. Enhanced Hot-Patching Decorator

The @hotpatch decorator in apps/vuln-api/app/utils/hotpatch.py now does more than just switch logic. It automatically injects educational context into every response:

  • X-Chimera-Patched: Indicates if the remediation is currently active.
  • X-Chimera-Vuln-ID: Unique identifier for the vulnerability.
  • X-Chimera-Vuln-Type: Human-readable name of the flaw.
  • X-Chimera-OWASP / X-Chimera-CWE: Industry-standard classifications.
  • X-Chimera-Hint: Context-aware exploitation hint (provided only when unpatched).

3. Opt-in Verbose Metadata (_chimera)

Researchers using curl or parsing JSON can opt-in to deep educational context by providing the X-Chimera-Education: true request header. This wraps the standard response with a _chimera metadata block containing remediation advice and vulnerable code snippets.

4. Education Catalog API

A dedicated blueprint at /api/v1/education/ exposes the registry to external tools:

  • GET /api/v1/education/vulns: Full catalog, filterable by portal.
  • GET /api/v1/education/vulns/{id}: Detailed view with current patch status.
  • GET /api/v1/education/portals: List of industry verticals.
  • GET /api/v1/education/owasp: Vulnerabilities grouped by OWASP category.

Usage for Researchers

With curl

# Get accounts with educational headers
curl -I "http://localhost:8880/api/v1/banking/accounts?user_id=attacker"

# Get verbose JSON metadata
curl -H "X-Chimera-Education: true" "http://localhost:8880/api/v1/banking/accounts?user_id=attacker"

With Burp Suite

Create a Match and Replace rule or a Bambda filter to highlight any response containing the X-Chimera-Vuln-ID header. This allows you to immediately identify attack surface areas as you browse.

With Nuclei

The structured headers and JSON catalog make it easy to write Nuclei templates that target specific Chimera vulnerabilities and verify patches programmatically.