Skip to main content

API hacking lab setup

 Follow the commands to install and configure API hacking lab:

1. Install kali linux and update all the packages. 

apt update -y

apt upgrade -y

or

apt dist-upgrade -y

or

apt full-upgrade -y

If you face any problem regarding update, install cloud flare warp in the host machine, then again start updating packages in your kali vm. 

2. Install and configure burpsuite professional. 

Open burpsuite and go to Extender tab. Click on BAppStore. Search for Autorize extension, It will help us to automate authorization testing. Click on Download Jython. From Jython website click on Jython standalone and save it. Go to Extender > Options and under python environment select the jython jar file that you just downloaded. Now again go to BAppStore and re-search for Autorize extension. You will see Install option this time after selecting Autorize extension. Install it. You will see all the installed extensions under Extender > Extensions tab. 

3. Install foxy proxy to proxy traffic to burpsuite and postman. Open burp suite app and install foxy proxy addons on firefox. 

Open foxy proxy and click on Options. Click on Add. Two proxies we gonna be using. Name it as Burp  suite (8080). Set the proxy ip as 127.0.0.1 and port 8080. Click on save and add another. Another one name as Postman, set proxy ip 127.0.0.1 and port 5555. Click on save. Now we can route the traffic to either burp or postman when needed. 

Now certificate installation part. Open burp application (already you have) and proxy the traffic to burp by just clicking foxy proxy and then choose Burp suite (8080) that you just configured. 

Now go to http://burp or http://burpsuite

Download the certificate and import it to Firefox's certificate store. At the time of doing this, check both the check boxes while importing it to firefox. 

4. Now install postman. 

wget https://dl.pstmn.io/download/latest/linux64 -O postman-linux-64.tar.gz

tar -xvzf postman-linux-64.tar.gz -C /opt

ln -s /opt/Postman/Postman /usr/bin/postman

postman (Now postman app will open. Create account so that you can save all your postman collection)

After creating postman account, go to workspace and create workspace for this course. 

5. Now MITM to swagger. 

cd /opt

pip3 install mitmproxy2swagger

or

apt install python3-mitmproxy2swagger

or

pipx install mitmproxy2swagger

6. Git install.

apt install git -y

7. Docker.

apt install docker-compose -y 

apt install docker.io -y

8. Go tool.

apt install golang-go -y

On kernel related popup message, click on Ok. For service restart part, you can choose the default one or restart all the services. Now restart your system if it asks. 

9. Change kali password (optional)

Create new user. 

useradd -m blackfly

passwd blackfly (Set a password)

usermod -a -G sudo blackfly

Now we need to update the shell that gonna be use by blackfly. 

chsh -s /bin/zsh blackfly

su blackfly (Provide password)

Now logout and log back in as blackfly. 

Now go to cd /opt directory and install rest of the tools. 

Install jwt tool to attack on json web tokens. 

git clone https://github.com/ticarpi/jwt_tool

cd jwt_tool/

python3 -m pip install termcolor cprint pycryptodomex requests (In latest kali, these tools are found to be already installed, to check type: pip show <package name>)

chmod +x jwt_tool.py

ln -s /opt/jwt_tool/jwt_tool.py /usr/bin/jwt_tool

jwt_tool (The tool will open)

10. Install kiterunner. (Please be on blackfly user session)

cd /opt

git clone https://github.com/assetnote/kiterunner.git

cd kiterunner/

make build

cd kiterunner/dist/

ln -s /opt/kiterunner/dist/kr /usr/bin/kr

11. Arjun install

git clone https://github.com/s0md3v/Arjun.git

cd Arjun/

python3 setup.py install

or 

pipx install arjun

12. Owasp zap install.

apt install zaproxy -y

Open zap and close the dialogue box. On the Manage Add-ons page find and check OpenAPI Support and click on Update Selected. In latest download, it is already updated.

https://university.apisec.ai/products/api-penetration-testing/categories/2150251486/posts/2157710611

Next we will setup vulnerable api lab. 

crAPI

https://github.com/OWASP/crAPI

mkdir ~/lab 

cd ~/lab

sudo curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml

docker-compose pull

docker-compose -f docker-compose.yml --compatibility up -d

After running this final command it can take several minutes before all of the entries read "done".

If you are having issues installing this locally, you can try the development version described here https://github.com/OWASP/crAPI OR target the one that is hosted by APIsec.

Once the installation is finished, you should be able to check to make sure crAPI is running by using a web browser and navigating to http://127.0.0.1:8888 (crAPI landing page) or http://127.0.0.1:8025  (crAPI Mailhog Server). When you are done using/testing crAPI, you can stop it with docker-compose by using the following command:

$sudo docker-compose stop

vAPI

https://github.com/roottusk/vapi 

cd ~/lab

git clone https://github.com/roottusk/vapi.git

cd /vapi

docker-compose up -d

Once vAPI is running you can navigate to http://127.0.0.1/vapi to get to the vAPI home page. One important thing to note is that vAPI comes with a prebuilt Postman collection and environment. You can access these in the vAPI/postman folder.



You can import these into Postman to be prepared for testing for future assessments. Simply open Postman, select the Import button (top right), and select the two vAPI JSON documents (see above image). Finally, confirm the import and select the Import button.



One more thing to note about vAPI is that the Resources folder contains secrets that will be necessary to complete certain attacks. The resources folder can be found here.


There are many labs that are available to test out the tools and techniques that you learn in this course. Check out some of these other vulnerable labs:

Portswigger

Web Security Academy

TryHackMe

Bookstore (free)

IDOR (paid)

GraphQL (paid)

 

HackTheBox (Retired Machines)

Craft

Postman

JSON

Node

Help

Github (Vulnerable Apps)

C{api}tal

Pixi

REST API Goat

DVWS-node

Websheep

You will get the most out of this course by getting your hands on the keyboard and hacking APIs. After you've learned a new tool or technique, I highly recommend applying your skills to these other labs.




Avi


Comments

Post a Comment

Popular posts from this blog

Install Nessus from docker

Docker installation. Give the below commands one by one. apt install docker-cli or apt install docker.io After the installation is complete, if you are inside wsl then give this command to start docker, because inside wsl systemd (systemctl) does not work: service docker start WSL troubleshooting : If the above command " service docker start " does not work then use below command: dockerd (It may not work if any previous docker process is running. It will show you pid of that process. Use this command to kill that process " kill -9 pid " and run dockerd command again) If " docker ps -a " giving error like " Cannot connect to the Docker daemon at unix:///run/podman/podman.sock. Is the docker daemon running? " This is because you may installed podman-docker package. If you remove the package still you will get this error but you should remove the package. Then issue this command: env | grep -i docker DOCKER_HOST=unix:///run/podman/podman.sock   --...
Post a Comment
Read more

Installtion of SQLMutant tool

This tool is perfectly works on ubuntu 24 system. And I found it is not working properly in kali linux 24 version.   https://github.com/blackhatethicalhacking/SQLMutant/tree/main This tool need to use along with sqlmap tool. Showing this cheat sheet for kali or debian based system.  This tool actually analyze everything and give you the vulnerable url where sql injection is possible. You just need to use then sqlmap to exploit that.   Prerequisite: apt install pipx -y (for ubuntu) pip3 install uro or pipx install uro pipx ensurepath pipx completions  (not needed)  source ~/.bashrc   or restart system If go tool is not installed then run the below two commands first ( golang-go ) or follow this link to install go (https://mahimfiroj.blogspot.com/2024/12/installing-nuclei-in-kali.html) otherwise skip this step.   dpkg -l | grep packagename (Using this command you can check package is installed or not) apt install gccgo-go -y or apt install gol...
Post a Comment
Read more

Installing nuclei and go tool in kali

 First you need to install go: https://go.dev/doc/install You need to download this go tool go1.23.4.linux-amd64.tar.gz by clicking the Download button.  Say you are root and download the tool in your Downloads directory. Now run the below command: tar -C /usr/local -xzf go1.23.4.linux-amd64.tar.gz (if this cmd fails then you need to move this tool to /usr/local folder then run this cmd tar -xzf  go1.23.4.linux-amd64.tar.gz) Now add /usr/local/go/bin to the PATH environment variable. You can do this by adding the following line to your $HOME/.profile or /etc/profile (for a system-wide installation): export PATH=$PATH:/usr/local/go/bin Now use the following command for immediate effect. Preventing you from log off then log back in: source $HOME/.profile go version (to check it is installed successfully) Install nuclei: go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest or apt install nuclei nuclei -update-templates nuclei -u https://www.domain....
Post a Comment
Read more