Pynt vs OWASP crAPI

OWASP crAPI (Completely Ridiculous API) is an intentionally vulnerable API designed to help security professionals and developers learn about API security risks. It simulates real-world API security flaws, including:

  • Broken Object Level Authorization (BOLA)

  • Broken User Authentication

  • Excessive Data Exposure

  • Security Misconfigurations

  • Injection Attacks

crAPI provides a hands-on environment for practicing API security testing, exploiting vulnerabilities, and learning how to secure APIs effectively. It's useful for penetration testers, security engineers, and developers looking to improve their API security skills.

How to scan crAPI with Pynt ?

First we will need to setup crAPI as described here: https://github.com/OWASP/crAPI

Or just use prebuilt images:

Linux machines:

curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml

docker-compose pull

docker-compose -f docker-compose.yml --compatibility up -d

Windows machines:

curl.exe -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml

docker-compose pull

docker-compose -f docker-compose.yml --compatibility up -d

Get the official crAPI postman collection and environment files:

wget https://raw.githubusercontent.com/OWASP/crAPI/refs/heads/main/postman_collections/crAPI.postman_collection.json
wget https://raw.githubusercontent.com/OWASP/crAPI/refs/heads/main/postman_collections/crAPI.postman_environment.json
wget -O crAPI.postman_environment2.json https://raw.githubusercontent.com/OWASP/crAPI/refs/heads/main/postman_collections/crAPI.postman_environment.json

The second environment file will make Pynt run the collection twice, simulating traffic for two users. This enables Pynt to perform Business Logic Attacks.

On Mac and Windows PCs modify the base URLs in the environment files to be localhost and not 127.0.0.1 

"values": [{
        "key": "url",
        "value": "http://localhost:8888",
        "enabled": true
    },
    {
        "key": "url_mail",
        "value": "http://localhost:8025",
        "enabled": true
    }
],

Install Pynt CLI

python3 -m pip install pyntcli

Run Pynt with crAPI postman collection:

pynt newman --collection crAPI.postman_collection.json --environment crAPI.postman_environment.json crAPI.postman_environment2.json

PreviousBenchmarksNextPynt vs VAmPI

Last updated