Skip to main content

API hacking lab setup

 Follow the commands to install and configure API hacking lab:

1. Install kali linux and update all the packages. 

apt update -y

apt upgrade -y

or

apt dist-upgrade -y

or

apt full-upgrade -y

If you face any problem regarding update, install cloud flare warp in the host machine, then again start updating packages in your kali vm. 

2. Install and configure burpsuite professional. 

After that open burpsuite and go to Extensions tab. Click on BAppStore. Search for Autorize extension, It will help us to automate authorization testing. Click on Download Jython from the right side. From Jython website click on Jython standalone JAR and save it. Go to Extensios > Extensions settings >  under Core extension settings find out Python environment on the right pane. Select the jython jar file that you just downloaded. Now again go to BAppStore and re-search for Autorize extension. You will see Install option this time after selecting Autorize extension. Install it. You will see all the installed extensions under the Extensions > Installed tab. 

3. Install foxy proxy to proxy traffic to burpsuite and postman. Open burp suite app and install foxy proxy addons on firefox. 

Open foxy proxy and click on Options. Click on Add. Two proxies we gonna be using. Name it as Burp  suite (8080). Set the proxy ip as 127.0.0.1 and port 8080. Click on save and add another. Another one name as Postman, set proxy ip 127.0.0.1 and port 5555. Click on save. Now we can route the traffic to either burp or postman when needed. 

Now certificate installation part. Open burp application (already you have) and proxy the traffic to burp by just clicking foxy proxy and then choose Burp suite (8080) that you just configured. 

Now go to http://burp or http://burpsuite

Download the certificate and import it to Firefox's certificate store. At the time of doing this, check both the check boxes while importing it to firefox. 

Intercept docker traffic:

In order to intercept docker localhost traffic via burp, you need to do below thing.


Open firefox > type this in the url area --> about:config

Look for --> network.proxy.allow_hijacking_localhost and change the state from false to true


Once the burp is installed, now change kali system time. You need to it from two places. 


From kali, click on upper right time settings and adjust timing. Once it is done, you need to do one more thing from cli.

Commands:

timedatectl set-timezone Asia/Dhaka

timedatectl status

4. Now install postman. 

wget https://dl.pstmn.io/download/latest/linux64 -O postman-linux-64.tar.gz

tar -xvzf postman-linux-64.tar.gz -C /opt

ln -s /opt/Postman/Postman /usr/bin/postman

postman (Now postman app will open. Create account so that you can save all your postman collection)

After creating postman account, go to workspace and create workspace for this course. 

5. Now MITM to swagger (Use the last pipx option). 

cd /opt

pip3 install mitmproxy2swagger

or

apt install python3-mitmproxy2swagger

or

pipx install mitmproxy2swagger (pipx is user-based tool so install it using kali user and without sudo command)

Also mitmproxy is already installed with latest kali. 

6. Git install.

apt install git -y (Already installed with latest kali)

7. Docker.

apt install docker-compose -y 

apt install docker.io -y

8. Go tool.

apt install golang-go -y

On kernel related popup message, click on Ok. For service restart part, you can choose the default one or restart all the services. Now restart your system if it asks. But note latest kali does not need this approach. 

9. Change kali password (optional)

Create new user. 

useradd -m blackfly

passwd blackfly (Set a password)

usermod -a -G sudo blackfly

Now we need to update the shell that gonna be use by blackfly. 

chsh -s /bin/zsh blackfly

su blackfly (Provide password)

Now logout and log back in as blackfly. 

Now go to cd /opt directory and install rest of the tools. 

Install jwt tool to attack on json web tokens. From your normal user Desktop, create a folder i.e. jwt. Inside that folder clone the git repo.

git clone https://github.com/ticarpi/jwt_tool

cd jwt_tool/

python3 -m venv venv

source venv/bin/activate

pip install -r requirements.txt

python3 jwt_tool.py

If the system comes from a shutdown/reboot state, you need to then browse jwt_tool folder again from Desktop. Then you need to run source venv/bin/activate command to run the tool again. 

The below portion does not work.

sudo chmod +x jwt_tool.py

sudo ln -s /opt/jwt_tool/jwt_tool.py /usr/bin/jwt_tool

jwt_tool (The tool will open)

------------------------------------------------------------------

Now lets install the other tools:

python3 -m pip install termcolor cprint pycryptodomex requests (In latest kali, these tools are found to be already installed except cprint as of 2025.4 latest kali update upto 08-02-2026, to check type: pip show <package name>)

Lets install cprint.

From your normal user desktop area, create a folder called apipentest for example.

mkdir apipentest

cd apipentest

python3 -m venv venv

source venv/bin/activate

pip install cprint

pip show cprint (to verify)


10. Install kiterunner. (Please be on blackfly user session)

cd /opt

sudo git clone https://github.com/assetnote/kiterunner.git

cd kiterunner/

sudo make build

cd kiterunner/dist/ (Here kr tool is present)

sudo ln -s /opt/kiterunner/dist/kr /usr/bin/kr

kr (Now give this command to open this tool) 

Now from this link, we need to download the kiterunner specific wordlist. 

Repo link: https://github.com/assetnote/kiterunner

Now go to cd /usr/share/wordlist and create a folder there, set name as kiterunner. Inside that folder, run below commands:

wget https://wordlists-cdn.assetnote.io/data/kiterunner/routes-large.kite.tar.gz

and

wget https://wordlists-cdn.assetnote.io/data/kiterunner/routes-small.kite.tar.gz

Now we need to untar this. 

tar -xvzf routes-large.kite.tar.gz

tar -xvzf routes-small.kite.tar.gz

Now you will get routes-large.kite and routes-small.kite file. 

sudo kr scan 127.0.0.1 -w /usr/share/wordlists/kiterunner/routes-large.kite


11. Arjun install (From other user)

cd /opt

sudo git clone https://github.com/s0md3v/Arjun.git

cd Arjun/

python3 setup.py install (Some error will come but thats ok)

or 

pipx install arjun

or

sudo apt install arjun

12. Owasp zap install.

apt install zaproxy -y

Open zap and close the dialogue box. On the Manage Add-ons page (this page will appear automatically), find and check OpenAPI Support and click on Update Selected from below setting. Then check both the check boxes and click Yes. In latest download, it is already updated.

https://university.apisec.ai/products/api-penetration-testing/categories/2150251486/posts/2157710611

Next we will setup vulnerable api lab using docker linux. 

From your normal user account, go ahead.

crAPI

https://github.com/OWASP/crAPI

mkdir ~/Lab 

cd Lab

mkdir crapi

cd crapi/

sudo curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml

sudo docker-compose pull (You can also use docker compose pull command because this is new. Either command works)

sudo docker-compose -f docker-compose.yml --compatibility up -d

or 

docker-compose up -d

After running this final command it can take several minutes before all of the entries read "done".

Latest docker-compose.yml link: (But author showed the above link while demoing)

 > https://raw.githubusercontent.com/OWASP/crAPI/refs/heads/develop/deploy/docker/docker-compose.yml

If you are having issues installing this locally, you can try the development version described here https://github.com/OWASP/crAPI OR target the one that is hosted by APIsec --> http://crapi.apisec.ai.

Once the installation is finished, you should be able to check to make sure crAPI is running by using a web browser and navigating to http://127.0.0.1:8888 (crAPI landing page) or http://127.0.0.1:8025  (crAPI Mailhog Server). When you are done using/testing crAPI, you can stop it with docker-compose by using the following command:

sudo docker-compose stop

If you need to start it again onwards, then you just need to use start command. Remember when you use command up then it creates the container. But start command parameter means, container is already created but in stop state. You just need to start it now:

sudo docker-compose start (From the inside of crapi directory)

sudo docker ps -a (This will let you see what are you running)

Now if you would like to completely remove crapi docker instance then follow this command. Because sometimes crapi comes with latest version. Now v3 is running. Say you previously installed v2 instance. Now you want to install v3 instance. If you do not remove the previous one then current one will not be installed because say mailhog container is there on version 2. Also v3 mailhog is there. So in this cases, conflict raise. You have to remove previous one in order to accommodate new one. 

Removing command with volume:

sudo docker-compose -f docker-compose.yml down -v (From the inside of crapi directory because this docker-compose.yml file belongs to crapi v2)

or

docker-compose.yml down -v

sudo docker system prune -a (Unused docker stuff clean, optional but recommended)

rm docker-compose.yml

sudo docker ps -a

sudo docker volume ls
sudo docker volume rm <volume_name>

sudo docker network ls (don't need to delete this except you find any docker related thing. Rest is dockers default one which you don't need to delete)
sudo docker network rm <network_name>

Log troubleshoot command:

docker-compose logs -f

Next we will setup vulnerable api lab using docker windows.

Docker windows needs wsl to be installed. Postman tool installation in windows is very easy. Just download the exe and run it. 

Download the docker exe but wait. Before that you need to install wsl on windows. Follow my this writeup. 

https://mahimfiroj.blogspot.com/2024/12/wsl-windows-subsystem-for-linux.html

Now install docker exe. At the time of installation, check "Allow windows containers to be used with this installation" as well. Rest two check box are already selected. Installation will be done after some time.

Now type the following commands one by one.
Create a folder in D drive name crapi. And inside that folder, issue below commands.

curl.exe -L -o crapi.zip https://github.com/OWASP/crAPI/archive/refs/heads/main.zip
tar -xf .\crapi.zip
cd crAPI-main/deploy/docker
docker compose pull
docker compose -f docker-compose.yml --compatibility up -d

If you want to expose the system to all network interfaces, like instead of localhost you want using system ip i.e. 192.168.5.6:8888 crapi should listen, then do following:

Windows:
set LISTEN_IP=0.0.0.0
docker compose -f docker-compose.yml --compatibility up -d
Linux:
LISTEN_IP="0.0.0.0" docker compose -f docker-compose.yml --compatibility up -d

vAPI

https://github.com/roottusk/vapi 

cd ~/lab

sudo git clone https://github.com/roottusk/vapi.git

cd /vapi

sudo docker-compose up -d

or

sudo docker-compose start

Once vAPI is running you can navigate to http://127.0.0.1:8000, http://127.0.0.1:8000/vapi and http://127.0.0.1:8001 to get to the vAPI home page. 

sudo docker ps -a (This will let you see what are you running)

One important thing to note is that vAPI comes with a prebuilt Postman collection and environment. You can access these in the vAPI/postman folder.



You can import these into Postman to be prepared for testing for future assessments. Simply open Postman, select the Import button (top right), and select the two vAPI JSON documents (see above image). Finally, confirm the import and select the Import button.



One more thing to note about vAPI is that the Resources folder contains secrets that will be necessary to complete certain attacks. The resources folder can be found here.


There are many labs that are available to test out the tools and techniques that you learn in this course. Check out some of these other vulnerable labs:

Portswigger

Web Security Academy

TryHackMe

Bookstore (free)

IDOR (paid)

GraphQL (paid)

 

HackTheBox (Retired Machines)

Craft

Postman

JSON

Node

Help

Github (Vulnerable Apps)

C{api}tal

Pixi

REST API Goat

DVWS-node

Websheep

You will get the most out of this course by getting your hands on the keyboard and hacking APIs. After you've learned a new tool or technique, I highly recommend applying your skills to these other labs.




Avi


Comments

Post a Comment

Popular posts from this blog

Install Nessus from docker

Docker installation. Give the below commands one by one. apt install docker-cli or apt install docker.io After the installation is complete, if you are inside wsl then give this command to start docker, because inside wsl systemd (systemctl) does not work: service docker start WSL troubleshooting : If the above command " service docker start " does not work then use below command: dockerd (It may not work if any previous docker process is running. It will show you pid of that process. Use this command to kill that process " kill -9 pid " and run dockerd command again) If " docker ps -a " giving error like " Cannot connect to the Docker daemon at unix:///run/podman/podman.sock. Is the docker daemon running? " This is because you may installed podman-docker package. If you remove the package still you will get this error but you should remove the package. Then issue this command: env | grep -i docker DOCKER_HOST=unix:///run/podman/podman.sock   --...
Post a Comment
Read more

Installing kansa incident response tool

 Kansa is an IR framework. https://github.com/davehull/Kansa For enterprise data collection, you need to do this first from the admin system: Set-NetConnectionProfile -NetworkCategory Private (In private network) Enable-PSRemoting  from powershell on the system where you want to run this tool. This will enable winrm service with port 5985 and 5986. Check: netstat -naob | findstr "5985"   Also allow tcp port 5985 and 5986 for winrm through the network. You can use  GPO. Though winrm is communicating over http and https but authentication will be happened using kerberos in domain environment.  After downloading it  from the github and unzip it, you need to unlock it using powershell. Need powershell v3 or later. ls -r *.ps1 | Unblock-File Powershell policy bypass: Set-ExecutionPolicy AllSigned | RemoteSigned | Unrestricted From FOR508 course: .\kansa.ps1 -OutputPath .\Output\ -TargetList .\hostlist -TargetCount 250 -Verbose -Pushbin -Pushbin is requir...
Post a Comment
Read more