OWASP crAPI Challenge
Senior Customer Success Manager - Candidate
MA
by Michael Aghajanian
Introduction to OWASP crAPI
1
Open Web Application Security Project
Non-profit foundation improving software security
2
crAPI: Completely Ridiculous API
Intentionally vulnerable API for security training
3
Challenge-Based Learning
Hands-on experience with common API vulnerabilities
6 Completed Challenges
✅ Broken Object-Level Authorization - Challenges 1 and 2
✅ Excessive Data Exposure - Challenges 4 and 5
✅ Server-Side Request Forgery - Challenge 11
✅ Unauthenticated Access - Challenge 14
Challenge Preparation
I fired up a Virtual Machine on Proxmox and decided to go with Kali Linux. I installed Postman and Burp Suite. Got all the tools ready for action! Then I got Docker Compose working on Kali. Next I downloaded the docker-compose.yml file for crAPI and pulled down the containers and got off to a quick start.
First things first, I used Postman to explore the API and organize the endpoints. I like to keep things tidy. I zeroed in on the key endpoints to target for vulnerability testing. Turns out, the API had a JSON documentation file on Github, crapi-openapi-spec.json. I imported it into Postman for easy reference - making things easier!
Then the real fun began when I brought out Burp Suite to create a site map, intercept requests, and gather data for future exploitation. I carefully examined the requests and responses to understand how the API worked and to spot any potential weaknesses. Once I found some, I used the data I collected to go after those vulnerabilities.
Broken Object-Level Authorization (BOLA)
Definition
Failure to enforce proper access controls at object level
Impact
Unauthorized access to sensitive data or functionality
The Challenges
1: Access other user's vehicle details, 2: Access mechanic reports
Challenge 1
Access details of another user’s vehicle
Analyze
API endpoint lacks proper authorization checks for vehicle data
Exploit
Manipulate user ID parameter to access unauthorized vehicle location details
Impact
Unauthorized access to other users sensitive location data
Challenge 2
Access mechanic reports of other users
Analyze
Mechanic report API lacks proper access controls
Exploit
Modify request parameters to access other users' reports
Impact
Unauthorized access to sensitive vehicle data
Excessive Data Exposure
Definition
Unintentional disclosure of sensitive information to unauthorized parties
Impact
Data breaches, privacy violations, compliance issues
The Challenges
4: Leak user information, 5: Leak internal video properties
Challenge 4
Find an API endpoint that leaks sensitive information of other users
Analyze
API endpoint returns excessive user data
Exploit
Make API calls to retrieve sensitive information
Impact
Sensitive Data returned can be used for deeper attacks
Challenge 5
Find an API endpoint that leaks an internal property of a video
Analyze
Video API leaks internal properties
Exploit
Retrieve video metadata to access hidden information
Impact
Exposure of system architecture and vulnerabilities
Server-Side Request Forgery
Definition
Attacker manipulates server to make unintended requests
Impact
Access to internal resources, data leaks, remote code execution
Challenge
11: Make crAPI send HTTP call to external site
Challenge 11
Make crAPI send an HTTP call to an external site and return the HTTP response.
Analyze
API endpoint allows specifying external URL
Exploit
Manipulate request to make server call Cloud Flare
Impact
Remote code execution, data leaks etc.
Unauthenticated Access
Definition
System allows actions without proper authentication
Impact
Unauthorized data access, system manipulation
Challenge
14: Find endpoint without authentication checks
Challenge 14
Find an endpoint that does not perform authentication checks for a user.
Analyze
Identify endpoints lacking authentication checks
Exploit
Access sensitive functionality without valid credentials
Tools
Postman/Burp Suite for systematically testing API endpoints
Risk Assessment Overview
Tools Used
1
Proxmox Hypervisor
Virtualization platform for testing environment
2
Kali Linux
Penetration testing and ethical hacking OS
3
Burp Suite
Web vulnerability scanner and proxy tool
4
Postman
API development and testing platform
Resources
1
Official Documentation
OWASP crAPI challenges and setup guides
2
Community Resources
Tutorials, walkthroughs, and best practices
3
AI Assistance
ChatGPT for problem-solving and learning