info@techaven.co.zw +263 71 899 9646
Resources / Blog / Building Your crAPI Home Lab – OWASP's "...
General Apr 29, 2026 3 min read 169 views

Building Your crAPI Home Lab – OWASP's "Completely Ridiculous API"

Learn API security by hacking a purposely broken API – in your own isolated lab

BE
Beatitude Sithole
Published 2 months ago

crAPI (Completely Ridiculous API) is a deliberately vulnerable API from OWASP. It's packed with the Top 10 API security risks – from broken object-level authorization to mass assignment.

In this guide, you'll deploy crAPI on your own machine using Docker. Let's get ridiculously dangerous (safely).

Prerequisites

  • Linux / macOS / Windows (WSL2 for Windows)
  • ~5 GB free disk space
  • Ports 8888 and 8025 free on localhost
  • Internet connection
⚠️ Security reminder – crAPI is intentionally insecure. Never expose it to the internet or production networks. Keep it inside your lab machine.

Step 0 – Install Docker (if not present)

If you don't have Docker installed, run these commands on Ubuntu/Debian (for other distros, see official docs):

bash

sudo apt update
sudo apt install -y docker.io
sudo systemctl enable --now docker
sudo usermod -aG docker $USER
📌 Important: After adding yourself to the docker group, log out and log back in (or restart your terminal) for the change to take effect.

To verify Docker is working, run:

bash

docker --version
docker-compose --version  # or 'docker compose version'

If docker-compose is missing, install it separately:

bash

sudo apt install -y docker-compose

Step 1 – Create your lab directory

bash

mkdir -p ~/lab
cd ~/lab

Step 2 – Download the Docker Compose file

bash

curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml

Step 3 – Pull all required container images

bash

docker-compose pull

You'll see output like this:

text

Pulling vehicle-gateway ... done
Pulling identity         ... done
Pulling community        ... done
...

Step 4 – Start crAPI (detached mode)

bash

docker-compose --compatibility up -d

Wait for all containers to report done or healthy.

Watch logs with:

bash

docker-compose logs -f

Press Ctrl+C to exit logs without stopping containers.

Step 5 – Verify the installation


ServiceURLPurposecrAPI Apphttp://127.0.0.1:8888Main vulnerable API & frontendMailHoghttp://127.0.0.1:8025Email catch-all server

Open your browser and visit:

 http://127.0.0.1:8888

You should see the crAPI landing page with a Sign Up form.

https://raw.githubusercontent.com/OWASP/crAPI/main/docs/images/landing-page.png

Step 6 – Explore MailHog inbox

Open:  http://127.0.0.1:8025

Whenever crAPI sends an email (verification, password reset), it appears here.

Step 7 – Stop the lab

bash

docker-compose stop

To completely wipe volumes and start fresh:

bash

docker-compose down -v

One‑shot automation script

Save as start-crapi.sh:

bash

#!/bin/bash
set -e

if ! command -v docker &> /dev/null; then
    echo "Docker not found. Installing..."
    sudo apt update
    sudo apt install -y docker.io
    sudo systemctl enable --now docker
    sudo usermod -aG docker $USER
    echo "Docker installed. Please log out and back in, then re-run this script."
    exit 0
fi

echo "Setting up crAPI lab..."
mkdir -p ~/lab && cd ~/lab
curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml
docker-compose pull
docker-compose --compatibility up -d
echo ""
echo "crAPI is running!"
echo "App:    http://127.0.0.1:8888"
echo "MailHog: http://127.0.0.1:8025"

Make it executable and run:

bash

chmod +x start-crapi.sh
./start-crapi.sh

Quick test

bash

curl -i http://127.0.0.1:8888/identity/api/v2/vehicle/vehicles

Expected: 401 Unauthorized – means the API is alive and enforcing auth.

Troubleshooting


ProblemSolutiondocker: command not foundRevisit Step 0 – Docker not installed correctlypermission denied (Linux)Log out & back in after usermod -aG docker, or use sudo with commandsPort 8888 already in useChange port in docker-compose.yml (under frontend → ports)Containers keep restartingRun docker-compose ps and check logs: docker-compose logs <service>MailHog shows no emailsRegister a new account in crAPI – the welcome email will appear there

If all else fails, try the development version:

bash

git clone https://github.com/OWASP/crAPI.git
cd crAPI/deploy/docker
docker-compose --compatibility up -d

What's next?

Now that your lab is up:

  • Play with broken JWT tokens
  • Exploit mass assignment on the workshop mechanic
  • Find improper assets management
  • Intercept email flows via MailHog

Check out the crAPI Postman collection and the API docs.

Cleanup (when you're done forever)

bash

cd ~/lab
docker-compose down -v
rm -rf ~/lab

Final words

You've just deployed a full API security playground – all on your own machine. No cloud costs, no external dependencies. Now go break things (ethically) and level up your API hacking skills.

Happy hacking! 

Reference: OWASP crAPI GitHub



Share Twitter LinkedIn Back to Blog
In this article
3 min read 169 views
Ready to learn?
Join a Techaven course

Apply practical skills like the ones in this article in our hands-on courses.

Explore Courses
Keep Reading

Related Articles