Intro to API Security: crAPI

November 6, 2023

Intro to API security: crAPI

Amit Dubey

May 15, 2022 · 2 min read

You can do a lot to ensure that your application is secure and protected from cyber-attacks, even if you are just starting to design an API or want to optimize your existing APIs. API security concerns should be considered from the start of the design process to avoid potential attack vectors later in the development cycle. Authorization and authentication issues with APIs are relatively common. These exposed API endpoints are a concern for both developers and businesses.

So, in this multi-part blog series, we will learn about API Security through crAPI in a fun and informative way. Here, we will explain different security issues in crAPI and how we plan to address these.

The Completely Ridiculous API (a.k.a. crAPI) application helps users connect with car mechanics to get their car serviced or repaired. The application allows the user to manage vehicles, make service orders for any car, and purchase car accessories. A user must first authenticate to the application to use all of these features. In addition, crAPI provides a community section where users may publish their blog posts.

However, crAPI’s creator has unintentionally left plenty of security flaws open, exposing several vulnerabilities in crAPI. As security professionals, we must detect and exploit these flaws. And as developers, we must learn from the mistakes of the development team.

To get started, we need to first install crAPI. Follow the instructions mentioned in below link:
https://github.com/levoai/demo-apps/blob/main/crAPI/docs/quick-start.md

To get started, we need to first install crAPI. Follow the instructions mentioned in below link:
https://github.com/levoai/demo-apps/blob/main/crAPI/docs/quick-start.md

Let us walk through some of the crAPI’s key features once it is set up and running.

  • Authenticate to the application and navigate to the Dashboard page.
  • Click on “Contact Mechanic” and create a service report.
api security gif
  • Now, select “Shop” to view the available auto parts and accessories.
  • You can order or return a product from the order page.
  • Select “Community” to read or post blogs.
api security gif

crAPI - shopping and community page

Using this technique we can generate API specifications for our application and use them to scan with LEVO, an intelligent API security testing tool.

Sign-up for free today.

Now that we understand how crAPI works, we will look at different vulnerabilities in crAPI’s API endpoints.

In my next blog post, we will learn about various authentication issues in crAPI. Stay Tuned.

Best Regards,

Amit

Grow your business.
Today is the day to build the business of your dreams. Share your mission with the world — and blow your customers away.
Start Now
Linkedin IconTwitter IconFacebook icon
AICPA logoGDPR logoISO logoLevo image
ProductUse CasesPricingCompany
ResourcesDocsFAQs
Privacy PolicyTerms and ConditionsCookie PolicySecurity Information

Crafted with love by

Copyright © 2024 Levo