# Pynt vs OWASP crAPI [OWASP **crAPI**](https://github.com/OWASP/crAPI) (Completely Ridiculous API) is an intentionally vulnerable API designed to help security professionals and developers learn about API security risks. It simulates real-world API security flaws, including: * **Broken Object Level Authorization (BOLA)** * **Broken User Authentication** * **Excessive Data Exposure** * **Security Misconfigurations** * **Injection Attacks** crAPI provides a hands-on environment for practicing API security testing, exploiting vulnerabilities, and learning how to secure APIs effectively. It's useful for penetration testers, security engineers, and developers looking to improve their API security skills. ## crAPI Security Challenges Pynt uncovers the underlying vulnerabilities in crAPI (such as BOLA, mass assignment, SQL/NoSQL injection, etc.), rather than demonstrating the full exploits themselves. The goal is to identify where the API is weak and prove that those weaknesses can be triggered, without carrying out the destructive or business-logic-breaking steps of the exploit. This way, Pynt provides actionable findings while keeping testing safe and controlled.

#	Category	Challenge	Pynt Coverage	How to run ?
1	BOLA (Broken Object-Level Authorization)	Access details of another user’s vehicle	✅ - User data leakage to other users - Resource-ID authorization	crAPI official postman collection
2	BOLA (Broken Object-Level Authorization)	Access mechanic reports of other users	✅ - User data leakage to other users - Resource-ID authorization	crAPI modified postman collection
3	Broken Authentication	Reset the password of a different user	✅ - Rate-limit enforcement for OTP Endpoints	crAPI modified postman collection
4	Excessive Data Exposure	Find an API endpoint that leaks sensitive information of other users	✅ - Excessive Data Exposure	crAPI modified postman collection
5	Excessive Data Exposure	Find an API endpoint that leaks an internal property of a video	✅ - Mass assignment by manipulation of hidden attributes	crAPI modified postman collection
6	Rate Limiting / DoS	Abuse the “contact mechanic” feature for a denial-of-service attack	✅ - Multiple Requests Rate Limit (Need to enable in Pynt dashboard. Application -> tests -> include in scans)	crAPI official postman collection
7	BFLA (Broken Function-Level Authorization)	Delete a video of another user	❌ - Will be supported in the upcoming update to the Business logic package
8	Mass Assignment	Get an item for free	✅ - Negative Value Injection	crAPI official postman collection
9	Mass Assignment	Increase your balance by $1,000 or more	✅ - Negative Value Injection	crAPI official postman collection
10	Mass Assignment	Update internal video properties	✅ - Mass assignment by manipulation of hidden attributes	crAPI official postman collection
11	SSRF (Server-Side Request Forgery)	Make crAPI send an HTTP call to “www.google.com” and return the response	✅ - Remote resource access	crAPI official postman collection
12	NoSQL Injection	Get free coupons without knowing the coupon code	✅ - NoSQL Injection	crAPI official postman collection
13	SQL Injection	Redeem a coupon that has already been claimed	✅ - PostgreSQL Injection	crAPI official postman collection
14	Unauthenticated Access	Find an endpoint that does not perform authentication checks	✅ - Ignored authentication token	crAPI official postman collection
15	JWT Vulnerabilities	Forge valid JWT tokens	✅ - JWT Forgery via External JWKS	crAPI official postman collection
S1	Secret Challenge	Undisclosed (advanced hidden challenge)	✅ - Negative Value Injection	crAPI official postman collection

Other Notable findings by Pynt

Vulnerability	Endpoint	explanation
User data leakage to other users - credentials authorization	POST /identity/api/v2/user/change-email	User can initiate email change for a different user, the verify will not work so the impact is Low
User data manipulation by other users - Resource-ID authorization	POST /workshop/api/merchant/contact_mechanic.	User can initiate a mechanic call for a different User, impact is low
Exposed .env File	/.env	Pynt detected an exposed environment file located in the server root

Vulnerability

Endpoint

explanation

User data leakage to other users - credentials authorization

POST /identity/api/v2/user/change-email

User can initiate email change for a different user, the verify will not work so the impact is Low

User data manipulation by other users - Resource-ID authorization

POST /workshop/api/merchant/contact_mechanic.

User can initiate a mechanic call for a different User, impact is low

Exposed .env File

/.env

Pynt detected an exposed environment file located in the server root

## How to get crAPI ? First we will need to setup crAPI as described here: Or just use prebuilt images: #### Linux machines: ```bash curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml docker-compose pull docker-compose -f docker-compose.yml --compatibility up -d ``` #### Windows machines: ```bash curl.exe -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml docker-compose pull docker-compose -f docker-compose.yml --compatibility up -d ``` ## How to scan crAPI with Pynt using the crAPI postman collection ? #### Get the official crAPI postman collection and environment files:

wget https://raw.githubusercontent.com/OWASP/crAPI/refs/heads/main/postman_collections/crAPI.postman_collection.json
wget https://raw.githubusercontent.com/OWASP/crAPI/refs/heads/main/postman_collections/crAPI.postman_environment.json
wget -O crAPI.postman_environment2.json https://raw.githubusercontent.com/OWASP/crAPI/refs/heads/main/postman_collections/crAPI.postman_environment.json

The second environment file will make Pynt run the collection twice, simulating traffic for two users. This enables Pynt to perform Business Logic Attacks. {% hint style="danger" %} On Mac and Windows PCs modify the base URLs in the environment files to be `localhost` and not `127.0.0.1` ``` "values": [{ "key": "url", "value": "http://localhost:8888", "enabled": true }, { "key": "url_mail", "value": "http://localhost:8025", "enabled": true } ], ``` {% endhint %} ### Install Pynt CLI `python3 -m pip install pyntcli` Run Pynt with crAPI postman collection: {% code overflow="wrap" fullWidth="false" %} ```bash pynt newman --collection crAPI.postman_collection.json --environment crAPI.postman_environment.json crAPI.postman_environment2.json ``` {% endcode %} ## How to scan crAPI with Pynt using Pynt modified postman collection ? To get some challenges we created two new postman collections: [**crAPI-modified.json**](https://raw.githubusercontent.com/pynt-io/pynt/refs/heads/crapi-cloud-files/crapi/crAPI-modified-v2.1.json) - A collection that includes APIs that where missing from the original collection. {% code overflow="wrap" %} ```bash wget https://raw.githubusercontent.com/pynt-io/pynt/refs/heads/crapi-cloud-files/crapi/crAPI-modified-v2.1.json ``` {% endcode %} [**crAPI-alignment\_collection-v2.json**](https://raw.githubusercontent.com/pynt-io/pynt/refs/heads/main/crapi/crAPI-alignment_collection-v3.json) - Populates lot more user data into crAPI database, helps with finding some of the challenges 1. First run the alignment collection against crAPI: ```bash newman run crAPI-alignment_collection-v2.json -e crAPI.postman_environment.json ``` 2. Now run the Pynt scan: {% code overflow="wrap" %} ```bash pynt newman --collection crAPI-modified.json --environment crAPI.postman_environment.json crAPI.postman_environment2.json ``` {% endcode %}