AP 100: Finding API Endpoints (20 pts extra)

What You Need


To find API endpoints on an OWASP crAPI training server.

Connecting to crAPI

Open Burp. Click the Proxy tab. Click the Intercept tab.

Click the "Intercept is on" button so it changes to "Intercept is off".

Click the "Open Browser" button.

In Burp's browser, go to

https://crAPI.samsclass.info The crAPI login page opens, as shown below.

Alternate Servers

At DEF CON, there are two other servers to use:

Using Developer Tools to Explore Source Files

In Burp's browser, from the menu bar, click View, Developer, "Developer Tools".

Click Network tab, outlined in green in the image below.

At the top left, click the Refresh icon, outlined in red in the image below.

Several source filenames appear. Right-click main.fd3f1560.chunk.js, outlined in blue in the image below, and click "Open in Sources Panel".

The Sources tab appears, with one very long line in red font containing all the JavaScript code, as shown below.

At lower left, click {}, outlined in green in the image below, for "pretty-print".

The display becomes much more readable, as shown below.

Click in the lower center pane, where the JavaScript code is.

On your keyboard, press command+F if you're on a Mac, or Ctrl+F if you are on a PC.

A Find box appears at the bottom. Click in tha box and type


as shown below.

Flag AP 100.1: Word (10 pts)

Press Enter twice. Scroll down to see the list of API endpoints, as shown below.

The flag is the word covered by a green rectangle in the image below.

Flag AP 100.2: External API Endpoint (10 pts)

Search all the JavaScript files used on this page, and find the URL matching the image below.

The flag is the word covered by a green rectangle in the image below.


Hacking APIs

Posted 5-4-22
Alternate servers added 8-11-22