APIsecurity
  • API Security for Rookies🐱‍👤
    • Lab Setup
      • Hacker's Kali Setup
      • API Hacking Lab
    • API Reconnaissance
      • Passive Reconnaissance
      • Active Reconnaissance
    • Endpoint Analysis
      • Reverse Engineering an API
      • Using APIs and Excessive Data Exposure
    • Scanning APIs
    • API Authentication Attacks
      • Classic Authentication Attacks
      • API Token Attacks
    • Exploiting API Authorization
      • BOLA
      • BFLA
    • Improper Asset Management
    • Mass Assignment
    • SSRF
    • Injection Attacks
    • Evasion & Combining Techniques
      • Evasive Maneuvers
      • Combining Techniques
    • Conclusion
Powered by GitBook
On this page
  • The Completely Ridiculous API (crAPI)
  • vAPI
  1. API Security for Rookies🐱‍👤
  2. Lab Setup

API Hacking Lab

PreviousHacker's Kali SetupNextAPI Reconnaissance

Last updated 1 year ago

Both crAPI and vAPI of these will be used to test out the tools and techniques that will be demonstrated throughout this course. APIsec.ai has hosted an API hacking lab that you can use to practice your skills.

crAPI can be found at crapi.apisec.ai

vAPI can be found at vapi.apisec.ai

If you would like to set up your own lab, you can either host the vulnerable apps on your local host or on a separate system. Next is a demonstration of how to set these apps up on your local host.

The Completely Ridiculous API (crAPI)

$mkdir ~/lab

$cd ~/lab

#sudo curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml

$ sudo docker-compose pull

$ sudo docker-compose -f docker-compose.yml --compatibility up -d

If you are having issues installing this locally you can try the development version described here: OR target the one that is hosted by APIsec. Once the installation is finished, you should be able to check to make sure crAPI is running by using a web browser and navigating to (crAPI landing page) or (crAPI Mailhog Server). When you are done using/testing crAPI, you can stop it with docker-compose by using the following command: $sudo docker-compose stop

vAPI

vAPI will be used for many of the assessments throughout this course. Although APIsec will be hosting vAPI, it may be useful to have a local version for testing.

$cd ~/lab
$sudo git clone 
$cd /vapi
$sudo docker-compose up -d

Once vAPI is running you can navigate to http://127.0.0.1/vapi to get to the vAPI home page. One important thing to note is that vAPI comes with a prebuilt Postman collection and environment. You can access these in the vAPI/postman folder.

You can import these into Postman to be prepared for testing for future assessments. Simply open Postman, select the Import button (top right), and select the two vAPI JSON documents (see above image). Finally, confirm the import and select the Import button.

One more thing to note about vAPI is that the Resources folder contains secrets that will be necessary to complete certain attacks. The resources folder can be found here.

There are many labs that are available to test out the tools and techniques that you learn in this course. Check out some of these other vulnerable labs:

Portswigger

TryHackMe

  • Craft

  • Postman

  • JSON

  • Node

  • Help

Github (Vulnerable Apps)

You will get the most out of this course by getting your hands on the keyboard and hacking APIs. After you've learned a new tool or technique, I highly recommend applying your skills to these other labs.

vAPI:

(free)

(paid)

(paid)

(Retired Machines)

https://github.com/OWASP/crAPI
https://github.com/OWASP/crAPI
http://127.0.0.1:8888
http://127.0.0.1:8025
https://github.com/roottusk/vapi
Web Security Academy
Bookstore
IDOR
GraphQL
HackTheBox
Pixi
REST API Goat
DVWS-node
Websheep