OWASP crAPI (Completely Ridiculous API)
Platform status
This lab is marked draft on the CSN platform. Availability and URLs may change; confirm in the lab catalog before assigning it to learners.
What is this lab?
OWASP crAPI is a vulnerable-by-design microservices application for practicing API security: discovery, authorization, and common API risk patterns through realistic flows.
What you will learn
- Enumerating and testing APIs with an OpenAPI/Swagger definition
- Authorization testing across endpoints and roles (including BOLA/IDOR-style issues)
- Patterns such as mass assignment, excessive data exposure, and weak rate limiting
- A practical workflow using Postman plus a web proxy (Burp or ZAP)
Prerequisites
Tools
- Web browser
- Postman (or similar) for collections and replay
- Burp Suite or OWASP ZAP, optional but useful
Knowledge
- REST/HTTP basics and JSON
- Familiarity with API authentication (sessions, tokens)
Launch the lab
Getting started
- Start the lab and open the crAPI web UI from the URL shown.
- Create an account and sign in.
- Import the OpenAPI spec into Postman if you want a generated collection.
- If MailHog is exposed, use it to inspect emails for account-related flows.
How to use this lab
- Drive normal user actions (signup, profile, features) and capture API calls.
- Switch to API-first testing using OpenAPI/Postman to enumerate endpoints.
- Test authorization boundaries with two accounts (User A vs User B).
- Document findings: endpoint, request/response, impact, recommended control.
Challenge buckets
- Discovery and documentation — align the spec with live traffic
- BOLA / IDOR — object-level authorization across users
- Mass assignment and data exposure — fields that should not be client-controlled or visible
- Rate limiting and abuse — throttling, quotas, lockouts
Scenarios
Scenario walkthroughs for crAPI will be added here over time.
Safety and ethics
Use these techniques only in authorized lab environments.