crAPI (Completely Ridiculous API) is a deliberately vulnerable API from OWASP. It's packed with the Top 10 API security risks – from broken object-level authorization to mass assignment.
In this guide, you'll deploy crAPI on your own machine using Docker. Let's get ridiculously dangerous (safely).
Prerequisites
- Linux / macOS / Windows (WSL2 for Windows)
- ~5 GB free disk space
- Ports
8888and8025free on localhost - Internet connection
⚠️ Security reminder – crAPI is intentionally insecure. Never expose it to the internet or production networks. Keep it inside your lab machine.
Step 0 – Install Docker (if not present)
If you don't have Docker installed, run these commands on Ubuntu/Debian (for other distros, see official docs):
bash
sudo apt update sudo apt install -y docker.io sudo systemctl enable --now docker sudo usermod -aG docker $USER
📌 Important: After adding yourself to the docker group, log out and log back in (or restart your terminal) for the change to take effect.To verify Docker is working, run:
bash
docker --version docker-compose --version # or 'docker compose version'
If docker-compose is missing, install it separately:
bash
sudo apt install -y docker-compose
Step 1 – Create your lab directory
bash
mkdir -p ~/lab cd ~/lab
Step 2 – Download the Docker Compose file
bash
curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml
Step 3 – Pull all required container images
bash
docker-compose pull
You'll see output like this:
text
Pulling vehicle-gateway ... done Pulling identity ... done Pulling community ... done ...
Step 4 – Start crAPI (detached mode)
bash
docker-compose --compatibility up -d
Wait for all containers to report done or healthy.
Watch logs with:
bash
docker-compose logs -f
Press Ctrl+C to exit logs without stopping containers.
Step 5 – Verify the installation
ServiceURLPurposecrAPI Apphttp://127.0.0.1:8888Main vulnerable API & frontendMailHoghttp://127.0.0.1:8025Email catch-all server
Open your browser and visit:
You should see the crAPI landing page with a Sign Up form.
https://raw.githubusercontent.com/OWASP/crAPI/main/docs/images/landing-page.png
Step 6 – Explore MailHog inbox
Open: http://127.0.0.1:8025
Whenever crAPI sends an email (verification, password reset), it appears here.
Step 7 – Stop the lab
bash
docker-compose stop
To completely wipe volumes and start fresh:
bash
docker-compose down -v
One‑shot automation script
Save as start-crapi.sh:
bash
#!/bin/bash
set -e
if ! command -v docker &> /dev/null; then
echo "Docker not found. Installing..."
sudo apt update
sudo apt install -y docker.io
sudo systemctl enable --now docker
sudo usermod -aG docker $USER
echo "Docker installed. Please log out and back in, then re-run this script."
exit 0
fi
echo "Setting up crAPI lab..."
mkdir -p ~/lab && cd ~/lab
curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml
docker-compose pull
docker-compose --compatibility up -d
echo ""
echo "crAPI is running!"
echo "App: http://127.0.0.1:8888"
echo "MailHog: http://127.0.0.1:8025"
Make it executable and run:
bash
chmod +x start-crapi.sh ./start-crapi.sh
Quick test
bash
curl -i http://127.0.0.1:8888/identity/api/v2/vehicle/vehicles
Expected: 401 Unauthorized – means the API is alive and enforcing auth.
Troubleshooting
ProblemSolutiondocker: command not foundRevisit Step 0 – Docker not installed correctlypermission denied (Linux)Log out & back in after usermod -aG docker, or use sudo with commandsPort 8888 already in useChange port in docker-compose.yml (under frontend → ports)Containers keep restartingRun docker-compose ps and check logs: docker-compose logs <service>MailHog shows no emailsRegister a new account in crAPI – the welcome email will appear there
If all else fails, try the development version:
bash
git clone https://github.com/OWASP/crAPI.git cd crAPI/deploy/docker docker-compose --compatibility up -d
What's next?
Now that your lab is up:
- Play with broken JWT tokens
- Exploit mass assignment on the workshop mechanic
- Find improper assets management
- Intercept email flows via MailHog
Check out the crAPI Postman collection and the API docs.
Cleanup (when you're done forever)
bash
cd ~/lab docker-compose down -v rm -rf ~/lab
Final words
You've just deployed a full API security playground – all on your own machine. No cloud costs, no external dependencies. Now go break things (ethically) and level up your API hacking skills.
Happy hacking!
Reference: OWASP crAPI GitHub