Skip to main content

API hacking lab setup

 Follow the commands to install and configure API hacking lab:

1. Install kali linux and update all the packages. 

apt update -y

apt upgrade -y

or

apt dist-upgrade -y

or

apt full-upgrade -y

If you face any problem regarding update, install cloud flare warp in the host machine, then again start updating packages in your kali vm. 

2. Install and configure burpsuite professional. 

After that open burpsuite and go to Extensions tab. Click on BAppStore. Search for Autorize extension, It will help us to automate authorization testing. Click on Download Jython from the right side. From Jython website click on Jython standalone JAR and save it. Go to Extensios > Extensions settings >  under Core extension settings find out Python environment on the right pane. Select the jython jar file that you just downloaded. Now again go to BAppStore and re-search for Autorize extension. You will see Install option this time after selecting Autorize extension. Install it. You will see all the installed extensions under the Extensions > Installed tab. 

3. Install foxy proxy to proxy traffic to burpsuite and postman. Open burp suite app and install foxy proxy addons on firefox. 

Open foxy proxy and click on Options. Click on Add. Two proxies we gonna be using. Name it as Burp  suite (8080). Set the proxy ip as 127.0.0.1 and port 8080. Click on save and add another. Another one name as Postman, set proxy ip 127.0.0.1 and port 5555. Click on save. Now we can route the traffic to either burp or postman when needed. 

Now certificate installation part. Open burp application (already you have) and proxy the traffic to burp by just clicking foxy proxy and then choose Burp suite (8080) that you just configured. 

Now go to http://burp or http://burpsuite

Download the certificate and import it to Firefox's certificate store. At the time of doing this, check both the check boxes while importing it to firefox. 

4. Now install postman. 

wget https://dl.pstmn.io/download/latest/linux64 -O postman-linux-64.tar.gz

tar -xvzf postman-linux-64.tar.gz -C /opt

ln -s /opt/Postman/Postman /usr/bin/postman

postman (Now postman app will open. Create account so that you can save all your postman collection)

After creating postman account, go to workspace and create workspace for this course. 

5. Now MITM to swagger (Use the last pipx option). 

cd /opt

pip3 install mitmproxy2swagger

or

apt install python3-mitmproxy2swagger

or

pipx install mitmproxy2swagger (pipx is user-based tool so install it using kali user and without sudo command)

Also mitmproxy is already installed with latest kali. 

6. Git install.

apt install git -y (Already installed with latest kali)

7. Docker.

apt install docker-compose -y 

apt install docker.io -y

8. Go tool.

apt install golang-go -y

On kernel related popup message, click on Ok. For service restart part, you can choose the default one or restart all the services. Now restart your system if it asks. But note latest kali does not need this approach. 

9. Change kali password (optional)

Create new user. 

useradd -m blackfly

passwd blackfly (Set a password)

usermod -a -G sudo blackfly

Now we need to update the shell that gonna be use by blackfly. 

chsh -s /bin/zsh blackfly

su blackfly (Provide password)

Now logout and log back in as blackfly. 

Now go to cd /opt directory and install rest of the tools. 

Install jwt tool to attack on json web tokens. From your normal user Desktop, create a folder i.e. jwt. Inside that folder clone the git repo.

git clone https://github.com/ticarpi/jwt_tool

cd jwt_tool/

python3 -m venv venv

source venv/bin/activate

pip install -r requirements.txt

python3 jwt_tool.py

If the system comes from a shutdown/reboot state, you need to then browse jwt_tool folder again from Desktop. Then you need to run source venv/bin/activate command to run the tool again. 

The below portion does not work.

sudo chmod +x jwt_tool.py

sudo ln -s /opt/jwt_tool/jwt_tool.py /usr/bin/jwt_tool

jwt_tool (The tool will open)

------------------------------------------------------------------

Now lets install the other tools:

python3 -m pip install termcolor cprint pycryptodomex requests (In latest kali, these tools are found to be already installed except cprint as of 2025.4 latest kali update upto 08-02-2026, to check type: pip show <package name>)

Lets install cprint.

From your normal user desktop area, create a folder called apipentest for example.

mkdir apipentest

cd apipentest

python3 -m venv venv

source venv/bin/activate

pip install cprint

pip show cprint (to verify)


10. Install kiterunner. (Please be on blackfly user session)

cd /opt

sudo git clone https://github.com/assetnote/kiterunner.git

cd kiterunner/

sudo make build

cd kiterunner/dist/ (Here kr tool is present)

sudo ln -s /opt/kiterunner/dist/kr /usr/bin/kr

kr (Now give this command to open this tool) 

Now from this link, we need to download the kiterunner specific wordlist. 

Repo link: https://github.com/assetnote/kiterunner

Now go to cd /usr/share/wordlist and create a folder there, set name as kiterunner. Inside that folder, run below commands:

wget https://wordlists-cdn.assetnote.io/data/kiterunner/routes-large.kite.tar.gz

and

wget https://wordlists-cdn.assetnote.io/data/kiterunner/routes-small.kite.tar.gz

Now we need to untar this. 

tar -xvzf routes-large.kite.tar.gz

tar -xvzf routes-small.kite.tar.gz

Now you will get routes-large.kite and routes-small.kite file. 

sudo kr scan 127.0.0.1 -w /usr/share/wordlists/kiterunner/routes-large.kite


11. Arjun install (From other user)

cd /opt

sudo git clone https://github.com/s0md3v/Arjun.git

cd Arjun/

python3 setup.py install (Some error will come but thats ok)

or 

pipx install arjun

or

sudo apt install arjun

12. Owasp zap install.

apt install zaproxy -y

Open zap and close the dialogue box. On the Manage Add-ons page (this page will appear automatically), find and check OpenAPI Support and click on Update Selected from below setting. Then check both the check boxes and click Yes. In latest download, it is already updated.

https://university.apisec.ai/products/api-penetration-testing/categories/2150251486/posts/2157710611

Next we will setup vulnerable api lab. 

From your normal user account, go ahead.

crAPI

https://github.com/OWASP/crAPI

mkdir ~/Lab 

cd Lab

mkdir crapi

cd crapi/

sudo curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml

docker-compose pull

docker-compose -f docker-compose.yml --compatibility up -d

After running this final command it can take several minutes before all of the entries read "done".

If you are having issues installing this locally, you can try the development version described here https://github.com/OWASP/crAPI OR target the one that is hosted by APIsec.

Once the installation is finished, you should be able to check to make sure crAPI is running by using a web browser and navigating to http://127.0.0.1:8888 (crAPI landing page) or http://127.0.0.1:8025  (crAPI Mailhog Server). When you are done using/testing crAPI, you can stop it with docker-compose by using the following command:

sudo docker-compose stop

If you need to start it then:

sudo docker-compose start (From the inside of crapi directory)

sudo docker ps -a (This will let you see what are you running)

vAPI

https://github.com/roottusk/vapi 

cd ~/lab

sudo git clone https://github.com/roottusk/vapi.git

cd /vapi

sudo docker-compose up -d

Once vAPI is running you can navigate to http://127.0.0.1:8000, http://127.0.0.1:8000/vapi and http://127.0.0.1:8001 to get to the vAPI home page. 

sudo docker ps -a (This will let you see what are you running)

One important thing to note is that vAPI comes with a prebuilt Postman collection and environment. You can access these in the vAPI/postman folder.



You can import these into Postman to be prepared for testing for future assessments. Simply open Postman, select the Import button (top right), and select the two vAPI JSON documents (see above image). Finally, confirm the import and select the Import button.



One more thing to note about vAPI is that the Resources folder contains secrets that will be necessary to complete certain attacks. The resources folder can be found here.


There are many labs that are available to test out the tools and techniques that you learn in this course. Check out some of these other vulnerable labs:

Portswigger

Web Security Academy

TryHackMe

Bookstore (free)

IDOR (paid)

GraphQL (paid)

 

HackTheBox (Retired Machines)

Craft

Postman

JSON

Node

Help

Github (Vulnerable Apps)

C{api}tal

Pixi

REST API Goat

DVWS-node

Websheep

You will get the most out of this course by getting your hands on the keyboard and hacking APIs. After you've learned a new tool or technique, I highly recommend applying your skills to these other labs.




Avi


Comments

Post a Comment

Popular posts from this blog

Installing Codename SCNR web application scanner on ubuntu | kali

  Perform the following steps from a non-root user. We will go for manual installation.  https://github.com/scnr/installer?tab=readme-ov-file#manual-installation https://github.com/scnr/installer/releases wget https://github.com/scnr/installer/releases/download/v1.7.3/scnr-v1.7.3-linux-x86_64.tar.gz   (Download using normal user) tar -xvzf scnr-v1.7.3-linux-x86_64.tar.gz cd scnr-v1.7.3 cd bin Now go to their website ( https://ecsypno.com/products/scnr ) and subscribe for community edition license from your official email.  ./scnr_activate 6XQ97FW3LVBECD0UJ5H214 ./scnr https://www.example.net/Login.aspx --system-slots-override Now they generate .ser format report after testing the application by default which is hard to read. We need html report. So for example, to generate an HTML report: ./scnr_reporter --report=html:outfile=my_report.html.zip /home/user/.scnr/reports/report.ser Avi
Post a Comment
Read more

Install Nessus from docker

Docker installation. Give the below commands one by one. apt install docker-cli or apt install docker.io After the installation is complete, if you are inside wsl then give this command to start docker, because inside wsl systemd (systemctl) does not work: service docker start WSL troubleshooting : If the above command " service docker start " does not work then use below command: dockerd (It may not work if any previous docker process is running. It will show you pid of that process. Use this command to kill that process " kill -9 pid " and run dockerd command again) If " docker ps -a " giving error like " Cannot connect to the Docker daemon at unix:///run/podman/podman.sock. Is the docker daemon running? " This is because you may installed podman-docker package. If you remove the package still you will get this error but you should remove the package. Then issue this command: env | grep -i docker DOCKER_HOST=unix:///run/podman/podman.sock   --...
Post a Comment
Read more