CorpAPI is a vulnerable by design web API. It has been built to help users improve their knowledge application security. CorpAPI includes two flags for users to find, there are multiple approaches which you can take so feel free to download and take a look.
- Information disclosure
- Excesive data exposure
- Broken object level authorization
- Arbitrary file read
- Broken function level authorization
- SQL injection
- Server-Side request forgery
- Server Misconfiguration
To use CorpAPI you'll need to download and run the app.py file, if all modules are installed then this will start a local web server running on port 5000. The API can be accessed by heading to http://localhost:5000/api/v2/public/login (credentials: captain:captain).