Need to practice your API hacking skills? crAPI is for you.
OWASP’s completely ridiculous API (crAPI) is one of several vulnerable apps you can set up as a target on your network.
You’ll find installation instructions here.
But there’s a catch.
Once you have successfully run through the instructions, you will have a functioning instance of the web app, that can be accessed locally from a browser by visiting http://localhost:8888
But you may find you cannot access the app from a different machine on your network.
To fix this, you need to edit the docker-compose.yml
file that should be located in your home directory.
Start by making a backup copy of the file, then open docker-compose.yml
in a text editor.
Locate the section called crapi-web:
Under ports:
change the following line:
- "${LISTEN_IP:127.0.0.1}:8888:80"
to
- "${LISTEN_IP:0.0.0.0}:8888:80"
Further down, locate the section called mailhog:
Under ports:
change the following line:
- "${LISTEN_IP:127.0.0.1}:8025:8025"
to
- "${LISTEN_IP:0.0.0.0}:8025:8025"
This will ensure you can also access the mailhog server remotely on port 8025.
You can then save the file and quit.
Finally, you need to rebuild the crapi-web
container using the following command:
sudo docker compose -f docker-compose.yml --compatibility up -d
You should now be able to access the app from other machines, either physical systems on your network, or systems running in separate VMs on an internal network set up in VirtualBox.
March 2, 2023
well, that helped a lot at the mid of a hard night [I knew I had to change sth in the docker-compose.yml file specific to the part u mentioned but I added the hardcoded IP of the machine instead of 0.0.0.0]
March 6, 2023
Glad you found it useful. Enjoy hacking crAPI. 🙂