Hacking Lab

Throughout the course, we will be walking through two vulnerable applications, crAPI and vAPI. Both of these will be used to test out the tools and techniques that will be demonstrated throughout this course. APIsec.ai has hosted an API hacking lab that you can use to practice your skills.

• crAPI can be found at https://crapi.apisec.ai

• vAPI can be found at https://vapi.apisec.ai

If you would like to set up your own lab, you can either host the vulnerable apps on your local host or on a separate system. Next is a demonstration of how to set these apps up on your local host.

The Completely Ridiculous API (crAPI)

GitHub - OWASP/crAPI: completely ridiculous API (crAPI)GitHub

To install it locally run the following commands:

mkdir ~/lab
cd ~/lab
sudo curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml
sudo docker-compose pull
sudo docker-compose -f docker-compose.yml --compatibility up -d

If you are having issues installing this locally you can try the development version described here: https://github.com/OWASP/crAPI OR target the one that is hosted by APIsec.

Once the installation is finished, you should be able to check to make sure crAPI is running by using a web browser and navigating to http://127.0.0.1:8888 (crAPI landing page) or http://127.0.0.1:8025 (crAPI Mailhog Server). When you are done using/testing crAPI, you can stop it with docker-compose by using the following command:

sudo docker-compose stop

vAPI

vAPI will be used for many of the assessments throughout this course. Although APIsec will be hosting vAPI, it may be useful to have a local version for testing.

GitHub - roottusk/vapi: vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.GitHub

cd ~/lab
sudo git clone https://github.com/roottusk/vapi.git
cd /vapi
sudo docker-compose up -d

Once vAPI is running you can navigate to http://127.0.0.1/vapi to get to the vAPI home page. One important thing to note is that vAPI comes with a prebuilt Postman collection and environment. You can access these in the vAPI/postman folder.

You can import these into Postman to be prepared for testing for future assessments. Simply open Postman, select the Import button (top right), and select the two vAPI JSON documents (see the above image). Finally, confirm the import and select the Import button.

One more thing to note about vAPI is that the Resources folder contains secrets that will be necessary to complete certain attacks. The resources folder can be found here.

Many labs are available to test out the tools and techniques that you learn in this course. Check out some of these other vulnerable labs:

Portswigger

• Web Security Academy

TryHackMe

• Bookstore

• IDOR

• GraphQL

HackTheBox

• Craft

• Postman

• JSON

• Node

• Help

Github (Vulnerable Apps)

• Pixi

• REST API Goat

• DVWS-node

• Websheep

You will get the most out of this course by getting your hands on the keyboard and hacking APIs. After you've learned a new tool or technique, I highly recommend applying your skills to these other labs.