Online Courses
API Penetration Testing Course
Online Courses
API Penetration Testing Course
  • Introduction
  • Setting Up
    • Tools
    • Hacking Lab
  • API Reconnaissance
    • Introduction to API Reconnaissance
    • Passive Reconnaissance
      • Google Dorking
      • GitDorking
      • TruffleHog
      • API Directories
      • Shodan
      • The Wayback Machine
    • Active Reconnaissance
      • Nmap
      • OWASP Amass
      • Directory Brute-force with Gobuster
      • Kiterunner
      • DevTools
      • Directory Brute-Forcing
  • Endpoint Analysis
    • Reverse Engineering an API
    • Excessive Data Exposure
    • Assessment
  • Scanning APIs
    • Finding Security Misconfigurations
    • Scanning APIs with OWASP ZAP
    • Assessment
  • Authentication Attacks
    • Classic Authentication Attacks
      • Note on Base64 Encoding
    • Token Attacks
    • Assessment
  • Exploiting API Authorization
    • Exploiting API Authorization
    • Broken Object Level Authorization (BOLA)
    • Broken Function Level Authorization (BFLA)
    • Assessment
  • Improper Assets Management
    • Improper Assets Management
    • Finding Improper Assets Management Vulnerabilities
    • Assessment
  • Mass Assignment
    • Mass Assignment Attacks
    • Other Mass Assignment Vectors
    • Hunting for Mass Assignment
    • Assessment
  • Exploiting Server-Side Request Forgery
    • Server-Side Request Forgery
    • Types of SSRF
    • Ingredients for SSRF
    • Testing for SSRF
    • Assessment
  • Injection Vulnerabilities
    • Testing for Injection Vulnerabilities
    • Discovering Injection Vulnerabilities
      • SQL Injection Metacharacters
      • NoSQL Injection
      • OS Injection
    • Fuzzing Wide with Postman
    • Fuzzing Deep with WFuzz
    • Assessment
  • Evasion and Combining Techniques
    • Evasive Maneuvers
    • Combining Techniques
Powered by GitBook
On this page
  • The Completely Ridiculous API (crAPI)
  • vAPI
  • Portswigger
  • TryHackMe
  • HackTheBox
  • Github (Vulnerable Apps)
  1. Setting Up

Hacking Lab

PreviousToolsNextIntroduction to API Reconnaissance

Last updated 1 year ago

Throughout the course, we will be walking through two vulnerable applications, crAPI and vAPI. Both of these will be used to test out the tools and techniques that will be demonstrated throughout this course. APIsec.ai has hosted an API hacking lab that you can use to practice your skills.

  • crAPI can be found at

  • vAPI can be found at

If you would like to set up your own lab, you can either host the vulnerable apps on your local host or on a separate system. Next is a demonstration of how to set these apps up on your local host.

The Completely Ridiculous API (crAPI)

To install it locally run the following commands:

mkdir ~/lab
cd ~/lab
sudo curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml
sudo docker-compose pull
sudo docker-compose -f docker-compose.yml --compatibility up -d
sudo docker-compose stop

vAPI

vAPI will be used for many of the assessments throughout this course. Although APIsec will be hosting vAPI, it may be useful to have a local version for testing.

cd ~/lab
sudo git clone https://github.com/roottusk/vapi.git
cd /vapi
sudo docker-compose up -d

You can import these into Postman to be prepared for testing for future assessments. Simply open Postman, select the Import button (top right), and select the two vAPI JSON documents (see the above image). Finally, confirm the import and select the Import button.

One more thing to note about vAPI is that the Resources folder contains secrets that will be necessary to complete certain attacks. The resources folder can be found here.

Many labs are available to test out the tools and techniques that you learn in this course. Check out some of these other vulnerable labs:

Portswigger

TryHackMe

HackTheBox

  • Craft

  • Postman

  • JSON

  • Node

  • Help

Github (Vulnerable Apps)

You will get the most out of this course by getting your hands on the keyboard and hacking APIs. After you've learned a new tool or technique, I highly recommend applying your skills to these other labs.

If you are having issues installing this locally you can try the development version described here: OR target the one that is hosted by APIsec.

Once the installation is finished, you should be able to check to make sure crAPI is running by using a web browser and navigating to (crAPI landing page) or (crAPI Mailhog Server). When you are done using/testing crAPI, you can stop it with docker-compose by using the following command:

Once vAPI is running you can navigate to to get to the vAPI home page. One important thing to note is that vAPI comes with a prebuilt Postman collection and environment. You can access these in the vAPI/postman folder.

https://github.com/OWASP/crAPI
http://127.0.0.1:8888
http://127.0.0.1:8025
http://127.0.0.1/vapi
Web Security Academy
Bookstore
IDOR
GraphQL
Pixi
REST API Goat
DVWS-node
Websheep
https://crapi.apisec.ai
https://vapi.apisec.ai
LogoGitHub - OWASP/crAPI: completely ridiculous API (crAPI)GitHub
LogoGitHub - roottusk/vapi: vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.GitHub