ββββββ βββββββ βββ βββββββ ββββββββββββ βββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββ βββββββββββββββββββββ βββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββ ββββββββββββββ ββββββ βββ βββ ββββββ ββββββββ βββ
βββββββββββββββ βββ βββββββ ββββββ ββββββββββ βββ ββββββ ββββββββ βββ
βββ ββββββ βββ βββ βββββββββββ ββββββ βββ ββββββββββββββββ βββ
βββ ββββββ βββ βββ βββββββββββ βββββ βββ ββββββββββββββββ βββ
A hands-on API penetration testing lab built on OWASP's crAPI β covering injection, broken auth, DoS, mass assignment, data exposure, and more.
This repository is a comprehensive, structured API penetration testing lab built around OWASP crAPI (Completely Ridiculous API) β an intentionally vulnerable vehicle management platform designed for security research.
Each folder is a self-contained pentest module targeting a distinct vulnerability class from the OWASP API Security Top 10 (2023). Every module includes a writeup, tools, payloads, and screenshots documenting real exploitation against a live (local) crAPI environment.
β οΈ Authorized use only. All testing is performed against locally deployed, intentionally vulnerable lab environments. Never use these techniques against systems you do not own or have explicit written permission to test.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PENTEST MODULE DIRECTORY β
ββββββββ¬βββββββββββββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββ€
β # β Module β OWASP API Top 10 β
ββββββββΌβββββββββββββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββ€
β 01 β SQL Injection Authentication Bypass β API8 - Security Misconfigβ
β 02 β OTP Bypass β API2 - Broken Auth β
β 03 β XSS Exploitation β API8 - Security Misconfigβ
β 04 β Black-Box API Security Assessment β Recon / Enumeration β
β 05 β API BOLA to SSRF Assessment β API1 - BOLA β
β 06 β Broken Authentication Vulnerability β API2 - Broken Auth β
β 07 β Excessive Data Exposure β API3 - Data Exposure β
β 08 β Mass Assignment β API6 - Mass Assignment β
β 09 β Layer 7 DoS API PenTest β API4 - Resource Consump. β
ββββββββ΄βββββββββββββββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββ
βββββββ βββ
ββββββββ ββββ
βββββββ ββββ
βββββββ βββ
ββββββββ βββ
βββββββ βββ SQL INJECTION
Vulnerability: API8:2023 - Security Misconfiguration + Injection
This module demonstrates how improperly sanitized SQL queries in API login endpoints can be bypassed without valid credentials. Using crafted payloads injected into JSON request bodies, authentication is bypassed entirely by manipulating the underlying database query logic.
Key Techniques:
- Classic
' OR '1'='1injection in JSON body fields - Boolean-based blind SQLi to enumerate users
- Error-based injection to extract schema information
- Bypassing JWT issuance via SQL manipulation
Tools Used: sqlmap, Burp Suite, curl
Impact: Full authentication bypass β unauthorized access to any user account
βββββββ βββββββ
βββββββββββββββββ
βββ βββ βββββββ
βββ ββββββββββ
βββββββββββββββββ
βββββββ ββββββββ OTP BYPASS
Vulnerability: API2:2023 - Broken Authentication
One-Time Passwords (OTPs) are only as strong as the enforcement around them. This module exploits the absence of rate limiting and brute-force protection on crAPI's OTP verification endpoint β allowing a 4-digit OTP to be brute-forced within seconds.
Key Techniques:
- Brute-force enumeration of 4-digit OTP (0000β9999)
- No account lockout β 10,000 attempts permitted
- Lack of OTP expiry enables replay attacks
- Response timing analysis to detect valid OTP
Tools Used: ffuf, Burp Intruder, Python requests
Impact: Account takeover via password reset flow β no phishing or malware required
βββ βββββββββββββββββββ
ββββββββββββββββββββββββ
ββββββ ββββββββββββββββ
ββββββ ββββββββββββββββ
ββββ βββββββββββββββββββ
βββ βββββββββββββββββββ XSS
Vulnerability: API8:2023 - Security Misconfiguration (missing output encoding)
Cross-Site Scripting in APIs is often overlooked because developers assume JSON responses can't execute scripts. This module proves otherwise β exploiting stored and reflected XSS vulnerabilities in crAPI's community forum feature by injecting scripts through API request bodies.
Key Techniques:
- Stored XSS via community post/comment creation endpoints
- Payload injection through JSON fields (
title,content,name) - Cookie theft via
document.cookieexfiltration - DOM-based XSS through client-side rendering of API data
Tools Used: Burp Suite, custom HTML/JS payloads, Webhook.site
Impact: Session hijacking, credential theft, malicious redirects affecting all users who view injected content
βββββββ βββ ββββββ ββββββββββ βββ βββββββ βββββββ βββ βββ
βββββββββββ βββββββββββββββββββ ββββ βββββββββββββββββββββββββ
βββββββββββ βββββββββββ βββββββ βββββββββββ βββ ββββββ
βββββββββββ βββββββββββ βββββββ βββββββββββ βββ ββββββ
βββββββββββββββββββ ββββββββββββββ βββ βββββββββββββββββββββ βββ
βββββββ βββββββββββ βββ ββββββββββ βββ βββββββ βββββββ βββ βββ
Focus: API Reconnaissance & Enumeration (No Prior Knowledge)
This module simulates a real-world black-box engagement where the tester begins with only a base URL. It documents the full recon methodology to map the crAPI attack surface from scratch β discovering hidden endpoints, inferring data models, and identifying the technology stack before any exploitation begins.
Key Techniques:
- Passive recon: JavaScript source analysis, response header fingerprinting
- Active endpoint discovery with
ffufand custom API wordlists - OpenAPI/Swagger spec discovery (
/api-docs,/swagger.json,/openapi.yaml) - HTTP verb tampering to discover undocumented methods
- Parameter mining via response diffing
Tools Used: ffuf, Arjun, Burp Suite, curl, kiterunner
Impact: Establishes the full attack surface map used in all subsequent modules
βββββββ βββββββ βββ ββββββ βββ
ββββββββββββββββββββ ββββββββ ββββ
βββββββββββ ββββββ ββββββββ ββββ
βββββββββββ ββββββ ββββββββ βββ
ββββββββββββββββββββββββββββ βββ βββ
βββββββ βββββββ βββββββββββ βββ βββ BOLA β SSRF CHAIN
Vulnerability: API1:2023 - Broken Object Level Authorization β pivoting to SSRF
This module covers one of the most impactful vulnerability chains in API security: starting from a BOLA (also called IDOR) vulnerability, then chaining it to an SSRF condition to reach internal services. By manipulating object identifiers in API paths, unauthorized vehicle data is accessed, and a mechanic contact endpoint is weaponized to trigger outbound SSRF requests.
Key Techniques:
- BOLA: replacing
vehicleId/userIdparameters to access other users' objects - Horizontal privilege escalation across crAPI vehicle records
- SSRF via the
/workshop/api/merchant/contact_mechanicendpoint - Internal port scanning via SSRF (
127.0.0.1:8080,169.254.169.254) - AWS metadata service enumeration via SSRF
Tools Used: Burp Suite, curl, custom Python scripts, Burp Collaborator
Impact: Unauthorized data access across all users + internal network reconnaissance
ββββββ βββ βββββββββββββββ βββ
βββββββββββ βββββββββββββββ βββ
βββββββββββ βββ βββ ββββββββ
βββββββββββ βββ βββ ββββββββ
βββ ββββββββββββ βββ βββ βββ
βββ βββ βββββββ βββ βββ βββ BROKEN AUTH
Vulnerability: API2:2023 - Broken Authentication
Beyond OTP bypasses, this module takes a deeper look at the full authentication implementation in crAPI β exposing JWT weaknesses, token lifecycle mismanagement, and predictable token generation that allows session hijacking without credentials.
Key Techniques:
- JWT
alg: noneattack β stripping signature verification - JWT secret brute-force with
hashcat/jwt-cracker - Token reuse after logout (no server-side invalidation)
- Weak/predictable JWT secrets (
secret,password,crapi) - Refresh token abuse and long-lived token exploitation
Tools Used: jwt_tool, hashcat, Burp Suite, jwt.io
Impact: Persistent session hijacking; forge tokens for any user including admin
βββββββββββ ββββββββββ βββββββ βββββββββββ ββββββββββ ββββββββ
ββββββββββββββββββββββββββββββββββββββββββββ βββββββββββββββββββ
ββββββ ββββββ βββββββββββ ββββββββββββββ βββββββββββββββββ
ββββββ ββββββ βββββββ βββ ββββββββββββββ βββββββββββββββββ
ββββββββββββ ββββββ βββββββββββββββββββββββββββββ βββββββββββ
βββββββββββ ββββββ βββββββ ββββββββ βββββββ βββ βββββββββββ
Vulnerability: API3:2023 - Broken Object Property Level Authorization
APIs frequently return far more data than the client application displays β trusting the frontend to filter sensitive fields. This module demonstrates how intercepting raw API responses reveals PII, internal flags, password hashes, and admin-level attributes hidden from the UI but present in the JSON payload.
Key Techniques:
- Intercepting API responses with Burp to inspect full JSON payloads
- Identifying hidden fields:
isAdmin,creditScore,internalId - Comparing mobile app vs web app responses for data leakage delta
- Extracting other users' PII via response enumeration
- GraphQL introspection abuse to discover hidden fields and types
Tools Used: Burp Suite, jq, GraphQL Playground, custom Python
Impact: Mass PII harvesting; discovery of privilege escalation fields
ββββ ββββ ββββββ ββββββββββββββββ
βββββ βββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββ
βββ βββ ββββββ βββββββββββββββββββ
βββ ββββββ βββββββββββββββββββ ASSIGNMENT
Vulnerability: API6:2023 - Unrestricted Access to Sensitive Business Flows / Mass Assignment
Modern API frameworks often auto-bind all request body properties to internal objects. When developers forget to whitelist allowed fields, attackers can inject unexpected properties β escalating privileges, modifying balances, or overwriting protected attributes by simply including them in a POST/PUT body.
Key Techniques:
- Adding
"isAdmin": trueto user update requests - Injecting
"credit": 99999into coupon/purchase endpoints - Modifying vehicle ownership via PUT body injection
- Fuzzing request bodies to discover bindable hidden fields
- Comparing request schema vs response schema to identify injectable fields
Tools Used: Burp Suite, Arjun (parameter discovery), custom Python
Impact: Privilege escalation to admin; fraudulent credit manipulation; unauthorized resource ownership transfer
βββββββ βββββββ ββββββββ
βββββββββββββββββββββββββ
βββ ββββββ βββββββββββ
βββ ββββββ βββββββββββ
βββββββββββββββββββββββββ
βββββββ βββββββ ββββββββ LAYER 7 DOS
Vulnerability: API4:2023 - Unrestricted Resource Consumption
Unlike volumetric DDoS attacks that flood the network layer, Layer 7 DoS exploits the application logic itself β targeting expensive operations, missing rate limits, and unbounded query parameters to exhaust server resources with minimal traffic. This module demonstrates multiple L7 DoS vectors against crAPI.
Key Techniques:
- Login endpoint flooding (no rate limiting β 429 never returned)
- Unbounded pagination abuse (
?limit=100000β server executes the full query) - Large payload injection to exhaust memory/processing
- Password reset flood to overwhelm the mail service
- Slowloris-style HTTP keep-alive exhaustion
- ReDoS via crafted regex inputs in promo code fields
Tools Used: vegeta, ffuf, slowhttptest, hey, wrk, Python asyncio + httpx
Impact: Service degradation / outage affecting all users; potential memory exhaustion on underpowered deployments
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β CRAPI LAB ENVIRONMENT β
β β
β ββββββββββββ ββββββββββββ ββββββββββββ β
β β Web App β β API β β Mailhog β β
β β :8888 βββββΊβ :8888 β β :8025 β β
β ββββββββββββ ββββββββββββ ββββββββββββ β
β β β β
β ββββββββββββββββββββββββββββββββββββββββ β
β β Docker Network β β
β ββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
# 1. Clone crAPI
git clone https://github.com/OWASP/crAPI.git && cd crAPI
# 2. Start all services
docker compose -f deploy/docker/docker-compose.yml up -d
# 3. Verify
docker compose ps
# Access: http://localhost:8888Recommended Tools Stack:
| Category | Tools |
|---|---|
| Proxy / Interception | Burp Suite Community / Pro |
| Fuzzing | ffuf, kiterunner, Arjun |
| Auth Testing | jwt_tool, hashcat |
| Load Testing | vegeta, hey, wrk |
| Scripting | Python 3 + httpx, requests, asyncio |
| Recon | curl, jq, Postman |
| OWASP ID | Vulnerability Class | Module |
|---|---|---|
| API1:2023 | Broken Object Level Authorization (BOLA/IDOR) | 05 |
| API2:2023 | Broken Authentication | 02, 06 |
| API3:2023 | Broken Object Property Level Authorization | 07 |
| API4:2023 | Unrestricted Resource Consumption | 09 |
| API6:2023 | Unrestricted Access to Sensitive Business Flows | 08 |
| API8:2023 | Security Misconfiguration | 01, 03 |
| Recon | Enumeration & Attack Surface Mapping | 04 |
| Chaining | BOLA β SSRF Exploit Chain | 05 |
This repository is for educational and authorized security research only.
All testing is performed on locally deployed, intentionally vulnerable lab environments.
Unauthorized use of these techniques against systems you do not own is illegal under the CFAA, Computer Misuse Act, and equivalent laws worldwide.
The author(s) accept no liability for misuse.
Built with curiosity. Secured with knowledge.
