Pynt vs OWASP crAPI
OWASP crAPI (Completely Ridiculous API) is an intentionally vulnerable API designed to help security professionals and developers learn about API security risks. It simulates real-world API security flaws, including:
Broken Object Level Authorization (BOLA)
Broken User Authentication
Excessive Data Exposure
Security Misconfigurations
Injection Attacks
crAPI provides a hands-on environment for practicing API security testing, exploiting vulnerabilities, and learning how to secure APIs effectively. It's useful for penetration testers, security engineers, and developers looking to improve their API security skills.
crAPI Security Challenges
Pynt uncovers the underlying vulnerabilities in crAPI (such as BOLA, mass assignment, SQL/NoSQL injection, etc.), rather than demonstrating the full exploits themselves. The goal is to identify where the API is weak and prove that those weaknesses can be triggered, without carrying out the destructive or business-logic-breaking steps of the exploit. This way, Pynt provides actionable findings while keeping testing safe and controlled.
1
BOLA (Broken Object-Level Authorization)
Access details of another user’s vehicle
✅ - User data leakage to other users - Resource-ID authorization
2
BOLA (Broken Object-Level Authorization)
Access mechanic reports of other users
✅ - User data leakage to other users - Resource-ID authorization
3
Broken Authentication
Reset the password of a different user
✅ - Rate-limit enforcement for OTP Endpoints
4
Excessive Data Exposure
Find an API endpoint that leaks sensitive information of other users
✅ - Excessive Data Exposure
5
Excessive Data Exposure
Find an API endpoint that leaks an internal property of a video
✅ - Mass assignment by manipulation of hidden attributes
6
Rate Limiting / DoS
Abuse the “contact mechanic” feature for a denial-of-service attack
✅ - Multiple Requests Rate Limit (Need to enable in Pynt dashboard. Application -> tests -> include in scans)
7
BFLA (Broken Function-Level Authorization)
Delete a video of another user
❌ - Will be supported in the upcoming update to the Business logic package
9
Mass Assignment
Increase your balance by $1,000 or more
✅ - Negative Value Injection
10
Mass Assignment
Update internal video properties
✅ - Mass assignment by manipulation of hidden attributes
11
SSRF (Server-Side Request Forgery)
Make crAPI send an HTTP call to “www.google.com” and return the response
✅ - Remote resource access
12
NoSQL Injection
Get free coupons without knowing the coupon code
✅ - NoSQL Injection
13
SQL Injection
Redeem a coupon that has already been claimed
✅ - PostgreSQL Injection
14
Unauthenticated Access
Find an endpoint that does not perform authentication checks
✅ - Ignored authentication token
15
JWT Vulnerabilities
Forge valid JWT tokens
✅ - JWT Forgery via External JWKS
S1
Secret Challenge
Undisclosed (advanced hidden challenge)
✅ - Negative Value Injection
Other Notable findings by Pynt
User data leakage to other users - credentials authorization
POST /identity/api/v2/user/change-email
User can initiate email change for a different user, the verify will not work so the impact is Low
User data manipulation by other users - Resource-ID authorization
POST /workshop/api/merchant/contact_mechanic.
User can initiate a mechanic call for a different User, impact is low
Exposed .env File
/.env
Pynt detected an exposed environment file located in the server root
How to get crAPI ?
First we will need to setup crAPI as described here: https://github.com/OWASP/crAPI
Or just use prebuilt images:
Linux machines:
curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml
docker-compose pull
docker-compose -f docker-compose.yml --compatibility up -dWindows machines:
curl.exe -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml
docker-compose pull
docker-compose -f docker-compose.yml --compatibility up -dHow to scan crAPI with Pynt using the crAPI postman collection ?
Get the official crAPI postman collection and environment files:
wget https://raw.githubusercontent.com/OWASP/crAPI/refs/heads/main/postman_collections/crAPI.postman_collection.json
wget https://raw.githubusercontent.com/OWASP/crAPI/refs/heads/main/postman_collections/crAPI.postman_environment.json
wget -O crAPI.postman_environment2.json https://raw.githubusercontent.com/OWASP/crAPI/refs/heads/main/postman_collections/crAPI.postman_environment.jsonThe second environment file will make Pynt run the collection twice, simulating traffic for two users. This enables Pynt to perform Business Logic Attacks.
On Mac and Windows PCs modify the base URLs in the environment files to be localhost and not 127.0.0.1
"values": [{
"key": "url",
"value": "http://localhost:8888",
"enabled": true
},
{
"key": "url_mail",
"value": "http://localhost:8025",
"enabled": true
}
],Install Pynt CLI
python3 -m pip install pyntcli
Run Pynt with crAPI postman collection:
pynt newman --collection crAPI.postman_collection.json --environment crAPI.postman_environment.json crAPI.postman_environment2.jsonHow to scan crAPI with Pynt using Pynt modified postman collection ?
To get some challenges we created two new postman collections:
crAPI-modified.json - A collection that includes APIs that where missing from the original collection.
wget https://raw.githubusercontent.com/pynt-io/pynt/refs/heads/crapi-cloud-files/crapi/crAPI-modified-v2.1.jsoncrAPI-alignment_collection-v2.json - Populates lot more user data into crAPI database, helps with finding some of the challenges
First run the alignment collection against crAPI:
newman run crAPI-alignment_collection-v2.json -e crAPI.postman_environment.jsonNow run the Pynt scan:
pynt newman --collection crAPI-modified.json --environment crAPI.postman_environment.json crAPI.postman_environment2.jsonLast updated