crAPI docker搭建


curl -o docker-compose.yml

docker-compose pull

docker-compose -f docker-compose.yml --compatibility up -d



Challenge 1 – Access details of another user’s vehicle. (Broken User Authentication)

To solve the challenge, you need to leak sensitive information of another user’s vehicle.

  • Since vehicle IDs are not sequential numbers, but GUIDs, you need to find a way to expose the vehicle ID of another user.处的接口可以显示user的所有信息,包括vehicleid
  • Find an API endpoint that receives a vehicle ID and returns information about it.

Challenge 2 – Access mechanic reports of other users. (Broken User Authentication)

crAPI allows vehicle owners to contact their mechanics by submitting a “contact mechanic” form. This challenge is about accessing mechanic reports that were submitted by other users.

  • Analyze the report submission process提交时会返回一个report_link
  • Find an hidden API endpoint that exposes details of a mechanic reportGET返回的report_link
  • Change the report ID to access other reportsGET刚才返回的link,任意改report_id就可以查看其他report 2023-07-18 at 14.17.40@2x.jpg

Challenge 3 – Reset the password of a different user. (Broken User Authentication)

  • Find an email address of another user on crAPI 2023-07-18 at 14.19.09@2x.jpg
  • Brute forcing might be the answer. If you face any protection mechanisms, remember to leverage the predictable nature of REST APIs to find more similar API endpoints. 2023-07-18 at 14.19.44@2x.jpgapi/v3多次发送后ERROR,切换v2后无限制,4位数字爆破成功 2023-07-18 at 14.20.08@2x.jpg 2023-07-18 at 14.20.30@2x.jpg

Challenge 4 – Find an API endpoint that leaks sensitive information of other users. (Excessive Data Exposure) 2023-07-18 at 14.20.56@2x.jpg

Challenge 5 – Find an API endpoint that leaks an internal property of a video. (Excessive Data Exposure)

In this challenge, you need to find an internal property of the video resource that shouldn’t be exposed to the user. This property name and value can help you to exploit other vulnerabilities. 2023-07-18 at 14.21.26@2x.jpg

上传个人视频点share后抓包可以看到video_id,随后试一下,直接/31就可以显示出video信息 2023-07-18 at 14.21.49@2x.jpg

Challenge 6 – Perform a layer 7 DoS using ‘contact mechanic’ feature. (Rate Limiting) 2023-07-18 at 14.22.14@2x.jpg

增大number_of_repeats, 将repeat_request_if_failed设为true

Challenge 7 – Delete a video of another user. (BFLA)

  • Leverage the predictable nature of REST APIs to find an admin endpoint to delete videos
  • Delete a video of someone else 2023-07-18 at 14.22.47@2x.jpg

使用DELETE时,遇到提示需要admin权限 2023-07-18 at 14.23.14@2x.jpg


Challenge 8 – Get an item for free. (Mass Assignment)

crAPI allows users to return items they have ordered. You simply click the “return order” button, receive a QR code and show it in a USPS store. To solve this challenge, you need to find a way to get refunded for an item that you haven’t actually returned.

  • Leverage the predictable nature of REST APIs to find a shadow API endpoint that allows you to edit properties of a specific order. 2023-07-18 at 14.23.39@2x.jpg

提交订单会返回订单id 2023-07-18 at 14.24.18@2x.jpg

使用GET,利用id查看订单详细信息,发现其中有status值 2023-07-18 at 14.25.17@2x.jpg

用PUT修改status,得知status的可选项为delivered, return pending, returned三个 将status修改为returned就相当于直接切换为已退货状态,会将费用退还 2023-07-18 at 14.25.55@2x.jpg

Challenge 9 – Increase your balance by $1,000 or more. (Mass Assignment)

After solving the “Get an item for free” challenge, be creative and find a way to get refunded for an item you never returned, but this time try to get a bigger refund.


将quantity增大使得一个订单退款可以增加更大金额 2023-07-18 at 14.26.22@2x.jpg 2023-07-18 at 14.26.44@2x.jpg 2023-07-18 at 14.27.09@2x.jpg


Challenge 10 – Update internal video properties. (Mass Assignment)

After solving the “Find an API endpoint that leaks an internal property of videos” challenge, try to find an endpoint that would allow you to change the internal property of the video. Changing the value can help you to exploit another vulnerability. 2023-07-18 at 14.27.32@2x.jpg


修改视频名称: 2023-07-18 at 14.28.01@2x.jpg

Challenge 11 – Make crAPI send an HTTP call to “” and return the HTTP response. (SSRF)

将原来的 "mechanic_api":"" 改为,收到response 2023-07-18 at 14.28.35@2x.jpg

Challenge 12 – Find a way to get free coupons without knowing the coupon code. (NoSQL Injection) 2023-07-18 at 14.29.08@2x.jpg

使用 $ne 进行nosql injection

当把 coupon_code设为 “$ne” = “aaaaaaaa” 后,最后实际上在后端执行的是: ‘coupon_code': {$ne: aaaaaaaaa}

{$ne: aaaaaaaaa}语句恒成立=1,从而绕过验证

最后输入TRAC075,成功兑换coupon 2023-07-18 at 14.29.27@2x.jpg

Challenge 13 – Find a way to redeem a coupon that you have already claimed by modifying the database. (SQL Injection) 2023-07-18 at 14.29.53@2x.jpg

Challenge 14 – Find an endpoint that does not perform authentication checks for a user. (Unauthenticated Access)

/workshop/api/mechanic/mechanic_report?report_id=6 (report number 任意)

/workshop/api/shop/orders/1 (order number 任意)

Challenge 15 – Find a way to forge valid JWT Tokens. (JWT Vulnerabilities)

JWT Authentication in crAPI is vulnerable to various attacks. Find any one way to forge a valid JWT token and get full access to the platform. 2023-07-18 at 14.30.32@2x.jpg 2023-07-18 at 14.31.03@2x.jpg 2023-07-18 at 14.31.26@2x.jpg 2023-07-18 at 14.32.18@2x.jpg 2023-07-18 at 14.32.48@2x.jpg

JWT由三个部分组成:Header, Payload, Signature。Header包含有关令牌的签名算法和类型的信息,Payload包含用户信息,签名用于身份验证。JWT泄漏会造成身份伪造等问题




<< 2 secret challenges >>

There are two more secret challenges in crAPI, that are pretty complex, and for now we don’t share details about them, except the fact they are really cool.

先查到商品信息,再利用POST添加商品 2023-07-18 at 14.33.23@2x.jpg 2023-07-18 at 14.33.54@2x.jpg 2023-07-18 at 14.34.23@2x.jpg

当quantity设为负数时credit增加 2023-07-18 at 14.34.44@2x.jpg

Tagged in:

, ,

About the Author


Fisher不钓鱼 川大21级在读 网络空间安全专业 7年前的围棋业余5段 素描彩铅水粉国画书法童子功拥有者 Hala Madrid Letsgo Pat Self-Commentator Analyzer ing 七年前的业余5段 AI Skipper nparadigm申工智能yyds 飞禽岛少年Lee Sedol

View All Articles