Hacking Lab
Last updated
Last updated
Throughout the course, we will be walking through two vulnerable applications, crAPI and vAPI. Both of these will be used to test out the tools and techniques that will be demonstrated throughout this course. APIsec.ai has hosted an API hacking lab that you can use to practice your skills.
crAPI can be found at https://crapi.apisec.ai
vAPI can be found at https://vapi.apisec.ai
If you would like to set up your own lab, you can either host the vulnerable apps on your local host or on a separate system. Next is a demonstration of how to set these apps up on your local host.
To install it locally run the following commands:
If you are having issues installing this locally you can try the development version described here: https://github.com/OWASP/crAPI OR target the one that is hosted by APIsec.
Once the installation is finished, you should be able to check to make sure crAPI is running by using a web browser and navigating to http://127.0.0.1:8888 (crAPI landing page) or http://127.0.0.1:8025 (crAPI Mailhog Server). When you are done using/testing crAPI, you can stop it with docker-compose by using the following command:
vAPI will be used for many of the assessments throughout this course. Although APIsec will be hosting vAPI, it may be useful to have a local version for testing.
Once vAPI is running you can navigate to http://127.0.0.1/vapi to get to the vAPI home page. One important thing to note is that vAPI comes with a prebuilt Postman collection and environment. You can access these in the vAPI/postman folder.
You can import these into Postman to be prepared for testing for future assessments. Simply open Postman, select the Import button (top right), and select the two vAPI JSON documents (see the above image). Finally, confirm the import and select the Import button.
One more thing to note about vAPI is that the Resources folder contains secrets that will be necessary to complete certain attacks. The resources folder can be found here.
Many labs are available to test out the tools and techniques that you learn in this course. Check out some of these other vulnerable labs:
Craft
Postman
JSON
Node
Help
You will get the most out of this course by getting your hands on the keyboard and hacking APIs. After you've learned a new tool or technique, I highly recommend applying your skills to these other labs.