Pynt vs OWASP crAPI

OWASP crAPI (Completely Ridiculous API) is an intentionally vulnerable API designed to help security professionals and developers learn about API security risks. It simulates real-world API security flaws, including:

  • Broken Object Level Authorization (BOLA)

  • Broken User Authentication

  • Excessive Data Exposure

  • Security Misconfigurations

  • Injection Attacks

crAPI provides a hands-on environment for practicing API security testing, exploiting vulnerabilities, and learning how to secure APIs effectively. It's useful for penetration testers, security engineers, and developers looking to improve their API security skills.

crAPI Security Challenges

Pynt uncovers the underlying vulnerabilities in crAPI (such as BOLA, mass assignment, SQL/NoSQL injection, etc.), rather than demonstrating the full exploits themselves. The goal is to identify where the API is weak and prove that those weaknesses can be triggered, without carrying out the destructive or business-logic-breaking steps of the exploit. This way, Pynt provides actionable findings while keeping testing safe and controlled.

#
Category
Challenge
Pynt Coverage
How to run ?

1

BOLA (Broken Object-Level Authorization)

Access details of another user’s vehicle

βœ… - User data leakage to other users - Resource-ID authorization

2

BOLA (Broken Object-Level Authorization)

Access mechanic reports of other users

βœ… - User data leakage to other users - Resource-ID authorization

3

Broken Authentication

Reset the password of a different user

βœ… - Rate-limit enforcement for OTP Endpoints

4

Excessive Data Exposure

Find an API endpoint that leaks sensitive information of other users

βœ… - Excessive Data Exposure

5

Excessive Data Exposure

Find an API endpoint that leaks an internal property of a video

βœ… - Mass assignment by manipulation of hidden attributes

6

Rate Limiting / DoS

Abuse the β€œcontact mechanic” feature for a denial-of-service attack

βœ… - Multiple Requests Rate Limit (Need to enable in Pynt dashboard. Application -> tests -> include in scans)

7

BFLA (Broken Function-Level Authorization)

Delete a video of another user

❌ - Will be supported in the upcoming update to the Business logic package

8

Mass Assignment

Get an item for free

βœ… - Negative Value Injection

9

Mass Assignment

Increase your balance by $1,000 or more

βœ… - Negative Value Injection

10

Mass Assignment

Update internal video properties

βœ… - Mass assignment by manipulation of hidden attributes

11

SSRF (Server-Side Request Forgery)

Make crAPI send an HTTP call to β€œwww.google.com” and return the response

βœ… - Remote resource access

12

NoSQL Injection

Get free coupons without knowing the coupon code

βœ… - NoSQL Injection

13

SQL Injection

Redeem a coupon that has already been claimed

βœ… - PostgreSQL Injection

14

Unauthenticated Access

Find an endpoint that does not perform authentication checks

βœ… - Ignored authentication token

15

JWT Vulnerabilities

Forge valid JWT tokens

βœ… - JWT Forgery via External JWKS

S1

Secret Challenge

Undisclosed (advanced hidden challenge)

βœ… - Negative Value Injection

Other Notable findings by Pynt

Vulnerability
Endpoint
explanation

User data leakage to other users - credentials authorization

POST /identity/api/v2/user/change-email

User can initiate email change for a different user, the verify will not work so the impact is Low

User data manipulation by other users - Resource-ID authorization

POST /workshop/api/merchant/contact_mechanic.

User can initiate a mechanic call for a different User, impact is low

Exposed .env File

/.env

Pynt detected an exposed environment file located in the server root

How to get crAPI ?

First we will need to setup crAPI as described here: https://github.com/OWASP/crAPI

Or just use prebuilt images:

Linux machines:

curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml

docker-compose pull

docker-compose -f docker-compose.yml --compatibility up -d

Windows machines:

curl.exe -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml

docker-compose pull

docker-compose -f docker-compose.yml --compatibility up -d

How to scan crAPI with Pynt using the crAPI postman collection ?

Get the official crAPI postman collection and environment files:

wget https://raw.githubusercontent.com/OWASP/crAPI/refs/heads/main/postman_collections/crAPI.postman_collection.json
wget https://raw.githubusercontent.com/OWASP/crAPI/refs/heads/main/postman_collections/crAPI.postman_environment.json
wget -O crAPI.postman_environment2.json https://raw.githubusercontent.com/OWASP/crAPI/refs/heads/main/postman_collections/crAPI.postman_environment.json

The second environment file will make Pynt run the collection twice, simulating traffic for two users. This enables Pynt to perform Business Logic Attacks.

Install Pynt CLI

python3 -m pip install pyntcli

Run Pynt with crAPI postman collection:

pynt newman --collection crAPI.postman_collection.json --environment crAPI.postman_environment.json crAPI.postman_environment2.json

How to scan crAPI with Pynt using Pynt modified postman collection ?

To get some challenges we created two new postman collections:

crAPI-modified.json - A collection that includes APIs that where missing from the original collection.

crAPI-alignment_collection-v2.json - Populates lot more user data into crAPI database, helps with finding some of the challenges

First run the alignment collection against crAPI:

newman run crAPI-alignment_collection-v2.json -e crAPI.postman_environment.json

Now run the Pynt scan:

pynt newman --collection crAPI-modified.json --environment crAPI.postman_environment.json crAPI.postman_environment2.json

Last updated