Make crAPI accessible on a network

Need to practice your API hacking skills? crAPI is for you.

OWASP’s completely ridiculous API (crAPI) is one of several vulnerable apps you can set up as a target on your network.

You’ll find installation instructions here.

But there’s a catch.

Once you have successfully run through the instructions, you will have a functioning instance of the web app, that can be accessed locally from a browser by visiting http://localhost:8888

But you may find you cannot access the app from a different machine on your network.

To fix this, you need to edit the docker-compose.yml file that should be located in your home directory.

Start by making a backup copy of the file, then open docker-compose.yml in a text editor.

Locate the section called crapi-web:

Under ports: change the following line:
- "${LISTEN_IP:127.0.0.1}:8888:80"
to
- "${LISTEN_IP:0.0.0.0}:8888:80"

Further down, locate the section called mailhog:

Under ports: change the following line:
- "${LISTEN_IP:127.0.0.1}:8025:8025"
to
- "${LISTEN_IP:0.0.0.0}:8025:8025"

This will ensure you can also access the mailhog server remotely on port 8025.

You can then save the file and quit.

Finally, you need to rebuild the crapi-web container using the following command:
sudo docker compose -f docker-compose.yml --compatibility up -d

You should now be able to access the app from other machines, either physical systems on your network, or systems running in separate VMs on an internal network set up in VirtualBox.

Hi! I'm a tech journalist, getting my feet wet in ethical hacking. What you will find here is me taking notes on the tools and techniques I’m learning and offering answers to the questions I had when I first got started not so very long ago.

2 Comments

  1. Cairo
    March 2, 2023

    well, that helped a lot at the mid of a hard night [I knew I had to change sth in the docker-compose.yml file specific to the part u mentioned but I added the hardcoded IP of the machine instead of 0.0.0.0]

    Reply
    1. Edward Lichtner
      March 6, 2023

      Glad you found it useful. Enjoy hacking crAPI. 🙂

      Reply

Leave a Reply to Cairo Cancel reply

Your email address will not be published. Required fields are marked *

Scroll to top