Pynt vs OWASP crAPI

OWASP crAPI (Completely Ridiculous API) is an intentionally vulnerable API designed to help security professionals and developers learn about API security risks. It simulates real-world API security flaws, including:

  • Broken Object Level Authorization (BOLA)

  • Broken User Authentication

  • Excessive Data Exposure

  • Security Misconfigurations

  • Injection Attacks

crAPI provides a hands-on environment for practicing API security testing, exploiting vulnerabilities, and learning how to secure APIs effectively. It's useful for penetration testers, security engineers, and developers looking to improve their API security skills.

crAPI Security Challenges

Pynt uncovers the underlying vulnerabilities in crAPI (such as BOLA, mass assignment, SQL/NoSQL injection, etc.), rather than demonstrating the full exploits themselves. The goal is to identify where the API is weak and prove that those weaknesses can be triggered, without carrying out the destructive or business-logic-breaking steps of the exploit. This way, Pynt provides actionable findings while keeping testing safe and controlled.

#
Category
Challenge
Pynt Coverage
How to run ?

1

BOLA (Broken Object-Level Authorization)

Access details of another user’s vehicle

- User data leakage to other users - Resource-ID authorization

2

BOLA (Broken Object-Level Authorization)

Access mechanic reports of other users

- User data leakage to other users - Resource-ID authorization

3

Broken Authentication

Reset the password of a different user

- Rate-limit enforcement for OTP Endpoints

4

Excessive Data Exposure

Find an API endpoint that leaks sensitive information of other users

- Excessive Data Exposure

5

Excessive Data Exposure

Find an API endpoint that leaks an internal property of a video

- Mass assignment by manipulation of hidden attributes

6

Rate Limiting / DoS

Abuse the “contact mechanic” feature for a denial-of-service attack

- Multiple Requests Rate Limit (Need to enable in Pynt dashboard. Application -> tests -> include in scans)

7

BFLA (Broken Function-Level Authorization)

Delete a video of another user

- Will be supported in the upcoming update to the Business logic package

8

Mass Assignment

Get an item for free

- Negative Value Injection

9

Mass Assignment

Increase your balance by $1,000 or more

- Negative Value Injection

10

Mass Assignment

Update internal video properties

- Mass assignment by manipulation of hidden attributes

11

SSRF (Server-Side Request Forgery)

Make crAPI send an HTTP call to “www.google.com” and return the response

- Remote resource access

12

NoSQL Injection

Get free coupons without knowing the coupon code

- NoSQL Injection

13

SQL Injection

Redeem a coupon that has already been claimed

- PostgreSQL Injection

14

Unauthenticated Access

Find an endpoint that does not perform authentication checks

- Ignored authentication token

15

JWT Vulnerabilities

Forge valid JWT tokens

- JWT Forgery via External JWKS

S1

Secret Challenge

Undisclosed (advanced hidden challenge)

- Negative Value Injection

Other Notable findings by Pynt

Vulnerability
Endpoint
explanation

User data leakage to other users - credentials authorization

POST /identity/api/v2/user/change-email

User can initiate email change for a different user, the verify will not work so the impact is Low

User data manipulation by other users - Resource-ID authorization

POST /workshop/api/merchant/contact_mechanic.

User can initiate a mechanic call for a different User, impact is low

Exposed .env File

/.env

Pynt detected an exposed environment file located in the server root

How to get crAPI ?

First we will need to setup crAPI as described here: https://github.com/OWASP/crAPI

Or just use prebuilt images:

Linux machines:

curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml

docker-compose pull

docker-compose -f docker-compose.yml --compatibility up -d

Windows machines:

curl.exe -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml

docker-compose pull

docker-compose -f docker-compose.yml --compatibility up -d

How to scan crAPI with Pynt using the crAPI postman collection ?

Get the official crAPI postman collection and environment files:

wget https://raw.githubusercontent.com/OWASP/crAPI/refs/heads/main/postman_collections/crAPI.postman_collection.json
wget https://raw.githubusercontent.com/OWASP/crAPI/refs/heads/main/postman_collections/crAPI.postman_environment.json
wget -O crAPI.postman_environment2.json https://raw.githubusercontent.com/OWASP/crAPI/refs/heads/main/postman_collections/crAPI.postman_environment.json

The second environment file will make Pynt run the collection twice, simulating traffic for two users. This enables Pynt to perform Business Logic Attacks.

Install Pynt CLI

python3 -m pip install pyntcli

Run Pynt with crAPI postman collection:

pynt newman --collection crAPI.postman_collection.json --environment crAPI.postman_environment.json crAPI.postman_environment2.json

How to scan crAPI with Pynt using Pynt modified postman collection ?

To get some challenges we created two new postman collections:

crAPI-modified.json - A collection that includes APIs that where missing from the original collection.

wget https://raw.githubusercontent.com/pynt-io/pynt/refs/heads/crapi-cloud-files/crapi/crAPI-modified-v2.1.json

crAPI-alignment_collection-v2.json - Populates lot more user data into crAPI database, helps with finding some of the challenges

  1. First run the alignment collection against crAPI:

newman run crAPI-alignment_collection-v2.json -e crAPI.postman_environment.json
  1. Now run the Pynt scan:

pynt newman --collection crAPI-modified.json --environment crAPI.postman_environment.json crAPI.postman_environment2.json

Last updated