crAPI

crAPI (Completely Ridiculous Application Programmer Interface) defines an API which is intentionally vulnerable to the OWASP API Top 10 vulnerabilities. crAPI is meant to illustrate and educate by presenting these issues for you to discover and exploit.

The crAPI challenge is for you to find and exploit as many of these vulnerabilities as you can.

There are two approaches to hack crAPI - the first is to look at it as a complete black box test, where you get no directions, but just try to understand the app from scratch and hack it.

The second approach is using this page, which will give you an idea about which vulnerabilities exist in crAPI and will direct you on how to exploit them.

Challenges

BOLA Vulnerabilities

Challenge 1 - Access details of another user’s vehicle

To solve the challenge, you need to leak sensitive information of another user’s vehicle.

  • Since vehicle IDs are not sequential numbers, but GUIDs, you need to find a way to expose the vehicle ID of another user.

  • Find an API endpoint that receives a vehicle ID and returns information about it.

When viewing the recent comments in the forum, the vehicle GUIDS are returned in the response body, with additional info such as username.

Refreshing the location, change the GUID to the of from the Adam user and observe the GPS coordinates for their car.

Challenge 2 - Access mechanic reports of other users

crAPI allows vehicle owners to contact their mechanics by submitting a "contact mechanic" form. This challenge is about accessing mechanic reports that were submitted by other users.

  • Analyze the report submission process

  • Find an hidden API endpoint that exposes details of a mechanic report

Submit a valid report to the mechanic and observer that the URL to access the report is returned in the response body.

It is possible to change the report_id and view other users mechanic report. The reports also reveal additional information such as emails and phone number.

Broken User Authentication

Challenge 3 - Reset the password of a different user

  • Find an email address of another user on crAPI

Using the email found in challenge 1, start the password reset process on the main page.

The v3 endpoint has bruteforce protection but the v2 endpoint does not. So it is possible to bruteforce the OTP in the v2 API and then reset the users password.

Check-OPT v3
Check-otp v2

Excessive Data Exposure

Challenge 4 - Find an API endpoint that leaks sensitive information of other users

This is the same endpoint as challenge 1.

Challenge 5 - Find an API endpoint that leaks an internal property of a video

In this challenge, you need to find an internal property of the video resource that shouldn’t be exposed to the user

When submitting a new video, the conversion parameters are returned in the response body.

Rate Limiting

Challenge 6 - Perform a layer 7 DoS using ‘contact mechanic’ feature

Intercept a request to contact a mechanic. Send it to Burp Intruder / Repeater and submit the request muliple times. At the 14th occurance, a DOS is caused.

BFLA

Challenge 7 - Delete a video of another user

  • Leverage the predictable nature of REST APIs to find an admin endpoint to delete videos

  • Delete a video of someone else

Swapped the PUT method to DELETE and recieved an error that DELTE is an admin API. So changed the path to /identity/api/admin/videos/30 and was able to delete a video.

Mass Assignment

Challenge 8 - Get an item for free

crAPI allows users to return items they have ordered. You simply click the "return order" button, receive a QR code and show it in a USPS store. To solve this challenge, you need to find a way to get refunded for an item that you haven’t actually returned.

By changing the quantity to a negative number, you account is then credited that amount.

If you make a POST request to /workshop/api/shop/products, the required fields for an product are returned. By creating a product with a price of -$1000, it is possible to increase you account balance by that amount.

Challenge 9 - Increase your balance by $1,000 or more

Solved above.

Challenge 10 - Update internal video properties

After solving the "Find an API endpoint that leaks an internal property of videos" challenge, try to find an endpoint that would allow you to change the internal property of the video. Changing the value can help you to exploit another vulnerability.

When updating the video name, add the conversion params to the body.

SSRF

When submitting a mechanic report, change the mechanic API to another URL for an SSRF.

NoSQL Injection

When checking for a valid coupon, it is possible to perform an injection on the coupon_code parameter.

PreviousAPINextvAPI

Last updated