Making Security Fun for Developers
Developers do care about security
Developers want to do the right thing for security. The real challenge is that they do not understand what that “right thing” is.
Developers are naturally curious souls and tend to operate based on principles and the causation of things. They will easily do the “right thing” when application security issues are presented in a format that is well-aligned with how they absorb information.
OWASP crAPI aims to make security fun
OWASP crAPI is a vulnerable demo application from the OWASP Foundation, that aims to make learning security fun for developers.
crAPI stands for Completely Ridiculous API and is built on modern API / microservices-based architecture. Corey Ball, author of Hacking APIs refers to crAPI extensively in his lab exercises.
Levo gives crAPI a facelift
Fast Install & Startup
Full OpenAPI Specifications
crAPI now has an embedded API explorer with full OpenAPI 3.x specifications for all its endpoints. You can invoke these APIs directly from this interface and elicit responses. Always check if the input data provided is within the expected constraints for your API endpoint. Parse the input data and enforce minimum/maximum range, string length limits, data type formats, etc.
Pre-populated user accounts & data
User Roles for Privilege Escalation Exercises
CrAPI’s APIs now have clearly defined roles. This is critical in learning about privilege escalation and abuse.
Embedded within crAPI is a HackPad interface, that allows you to interactively hack crAPI’s APIs, and learn more about API vulnerabilities.
Stay tuned for the hacking APIs series
We will be posting a series of articles on hacking crAPI’s APIs. In meantime, we encourage you to take crAPI for a spin on your laptop.
If you prefer to try a fully hosted version of crAPI, signup for a forever free account, and experience crAPI via Levo SaaS.
Thanks for reading,