Skip to content

MuneneGeo/-crAPI-API-Security-Assessment

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
C4A_WebSecurity&API Report.docx
C4A_WebSecurity&API Report.docx
 
 
README.md
README.md
 
 

Repository files navigation

Security assessment of OWASP crAPI (Completely Ridiculous API) — a deliberately vulnerable REST API application designed to demonstrate real-world API security weaknesses. Conducted by Squad 4 as part of the AfricaHackon Cybersecurity Program.

🎯 Assessment Objective

Identify and document security weaknesses in REST API endpoints using manual and automated testing techniques.

🔴 Key Vulnerabilities Found

  • IDOR (API1) — Accessing other users' orders by modifying object IDs in GET requests
  • Broken Authentication — Unauthenticated access to protected API endpoints
  • Excessive Data Exposure — API responses returning sensitive fields not required by the client
  • Business Logic Flaws — Abusing application functionality to perform unauthorised actions
  • Missing Rate Limiting — Enumeration and scraping of user data at scale
  • Mass Assignment — Setting unauthorised fields through API request body manipulation
  • JWT Vulnerabilities — Token validation weaknesses enabling privilege escalation

🛠️ Tools Used

Burp Suite | Postman | Browser DevTools | Docker | OWASP API Top 10 Framework

📄 Full Report

See C4A_WebSecurity&API Report for all findings with proof-of-concept requests, responses, and remediation recommendations.

⚠️ Disclaimer

Testing was conducted solely against the OWASP crAPI lab environment for educational purposes. No real systems were targeted.

About

API security assessment of OWASP crAPI — IDOR, broken authentication, mass assignment, rate limiting bypass

Topics

penetration-testing vulnerability-assessment burpsuite owasp-top-10 api-security

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors