If you want to get started with API hacking, crAPI is one of the best resources to get hands-on practice. This can be done in any Operating System, but for the sake of this walkthrough we will be using Kali Linux.
crAPI machine
Cloning the Github repository
Install the application from the following URI.
You can clone the repository in your machine using the following command:
git clone https://github.com/OWASP/crAPI.git
Once that is done, we have to install Docker in our system to spin up the containers.
Docker installation
sudo apt install docker.io
This command will install Docker on your system. After the installation is complete, you can verify that Docker has been installed correctly by running:
docker --version
Next we have to install Docker Compose in our system using the following command.
sudo apt install docker-compose
Next, we have to change directories to the deploy/docker/ repository inside the crAPI repository. Once inside, we can spin up the container using the following command:
sudo docker-compose up
The application will take some time to install the dependancies and finish setting up the first time.
Endpoints
There are two endpoints in this application:
- Login page
- Mailhog mail server
Login page
The login page can be foun at the following URI:
http://localhost:8888/login
Mailhog mail server
The mail server to which emails are sent can be found at the following URI:
http://localhost:8025/
Postman
We will be using the Postman platform in order to interact with with APIs.
Installation
You can download the Postman client from the downloads page.
Once that is done uncompress the file using the following command:
tar -xvzf postman-linux-x64.tar.gz
Next, move the Postman directory in the /opt directory.
sudo mv Postman /opt
Creating a symbolic link for Postman
Always running the Postman application with /opt/postman is tedious. To get around this, we can create a symbolic link/shortcut for the Postman application.
sudo ln -s /opt/Postman/Postman /usr/bin/postman
Now you can run the application with the postman command.
Importing the crAPI collection into Postman
Before we get started, we need to import the collection of requests the crAPI endpoints in the Postman dashboard.
Next, select the crAPI/postman_collections/ directory.
Click Import.
You should be able to see the requests in the Postman dashboard now.
If you click on a request you can see the following error.
This error can be resolved by setting the Environment to Crapi.
You are now all set to practice some API hacking. You can check out my write-ups for crAPI.