Merge pull request #1799 from zapbot/update-site-content

psiinon · web-flow · commit 5b7333808530 · 2025-07-15T17:58:20.000+01:00
Update site content
diff --git a/docs/testapps/crapi/index.html b/docs/testapps/crapi/index.html
diff --git a/docs/testapps/index.html b/docs/testapps/index.html
@@ -162,6 +162,16 @@ <h1 class="text--white">ZAP Vs Test Apps</h1>
               </div>
             </div>
           
+            <div class="flex">
+              <div class="circle-arrow mr-20">
+                  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 30 30" width="30px"><g data-name="Layer 2"><circle cx="15" cy="15" r="15" fill="#4389ff"/><path fill="none" stroke="#fff" stroke-linecap="round" stroke-linejoin="round" stroke-width="3" d="M12.72 8.64L19.07 15l-6.35 6.36"/></g></svg></div>
+              <div>
+                
+                  <p> <b><a href="crapi/"> OWASP crAPI</a></b>  - the Completely Ridiculous API </p>
+                
+              </div>
+            </div>
+          
             <div class="flex">
               <div class="circle-arrow mr-20">
                   <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 30 30" width="30px"><g data-name="Layer 2"><circle cx="15" cy="15" r="15" fill="#4389ff"/><path fill="none" stroke="#fff" stroke-linecap="round" stroke-linejoin="round" stroke-width="3" d="M12.72 8.64L19.07 15l-6.35 6.36"/></g></svg></div>
diff --git a/docs/testapps/index.xml b/docs/testapps/index.xml
@@ -21,6 +21,13 @@
       <guid>/docs/testapps/ginnjuiceshop/</guid>
       <description>&lt;h3 id=&#34;overview&#34;&gt;Overview &lt;a class=&#34;header-link&#34; href=&#34;#overview&#34;&gt;&lt;svg class=&#34;fill-current o-60 hover-accent-color-light&#34; height=&#34;22px&#34; viewBox=&#34;0 0 24 24&#34; width=&#34;22px&#34; xmlns=&#34;http://www.w3.org/2000/svg&#34;&gt;&lt;path d=&#34;M0 0h24v24H0z&#34; fill=&#34;none&#34;/&gt;&lt;path d=&#34;M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z&#34; fill=&#34;currentColor&#34;/&gt;&lt;/svg&gt;&lt;/a&gt;&lt;/h3&gt;&#xA;&lt;p&gt;Gin &amp;amp; Juice Shop is a closed source vulnerable app maintained by &lt;a href=&#34;https://portswigger.net/&#34;&gt;PortSwigger&lt;/a&gt;.&lt;/p&gt;&#xA;&lt;p&gt;Despite claiming to be a modern app is is actually relatively traditional (it is not a Single Page App), which makes it easier to scan.&lt;/p&gt;</description>
     </item>
+    <item>
+      <title>OWASP crAPI</title>
+      <link>/docs/testapps/crapi/</link>
+      <pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
+      <guid>/docs/testapps/crapi/</guid>
+      <description>&lt;h3 id=&#34;overview&#34;&gt;Overview &lt;a class=&#34;header-link&#34; href=&#34;#overview&#34;&gt;&lt;svg class=&#34;fill-current o-60 hover-accent-color-light&#34; height=&#34;22px&#34; viewBox=&#34;0 0 24 24&#34; width=&#34;22px&#34; xmlns=&#34;http://www.w3.org/2000/svg&#34;&gt;&lt;path d=&#34;M0 0h24v24H0z&#34; fill=&#34;none&#34;/&gt;&lt;path d=&#34;M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z&#34; fill=&#34;currentColor&#34;/&gt;&lt;/svg&gt;&lt;/a&gt;&lt;/h3&gt;&#xA;&lt;p&gt;OWASP crAPI the “completely ridiculous API”.&lt;/p&gt;&#xA;&lt;p&gt;It is open source, and maintained by OWASP and the community. It’s fairly well documented:&lt;/p&gt;</description>
+    </item>
     <item>
       <title>OWASP Juice Shop</title>
       <link>/docs/testapps/juiceshop/</link>
diff --git a/index.xml b/index.xml
@@ -15500,6 +15500,17 @@ regular pentests on all of their web apps.&lt;/p&gt;</description>
 When an attacker gets a user&amp;rsquo;s browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.&lt;/p&gt;</description>
     </item>
     
+    <item>
+      <title>OWASP crAPI</title>
+      <link>/docs/testapps/crapi/</link>
+      <pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
+      
+      <guid>/docs/testapps/crapi/</guid>
+      <description>&lt;h3 id=&#34;overview&#34;&gt;Overview &lt;a class=&#34;header-link&#34; href=&#34;#overview&#34;&gt;&lt;svg class=&#34;fill-current o-60 hover-accent-color-light&#34; height=&#34;22px&#34; viewBox=&#34;0 0 24 24&#34; width=&#34;22px&#34; xmlns=&#34;http://www.w3.org/2000/svg&#34;&gt;&lt;path d=&#34;M0 0h24v24H0z&#34; fill=&#34;none&#34;/&gt;&lt;path d=&#34;M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z&#34; fill=&#34;currentColor&#34;/&gt;&lt;/svg&gt;&lt;/a&gt;&lt;/h3&gt;
+&lt;p&gt;OWASP crAPI the “completely ridiculous API”.&lt;/p&gt;
+&lt;p&gt;It is open source, and maintained by OWASP and the community. It’s fairly well documented:&lt;/p&gt;</description>
+    </item>
+    
     <item>
       <title>OWASP Juice Shop</title>
       <link>/docs/testapps/juiceshop/</link>
diff --git a/search/index.json b/search/index.json
@@ -6775,6 +6775,14 @@
     "summary": "\u003cp\u003eCross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user\u0026rsquo;s browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.\nWhen an attacker gets a user\u0026rsquo;s browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.\u003c/p\u003e",
     "content": "crosssite scripting xss attack technique that involves echoing attackersupplied code into users browser instance can standard web client object embedded software product such within winamp rss reader email itself usually written htmljavascript may also extend vbscript activex java flash any other browsersupported technology when attacker gets execute hisher will run security context zone hosting site level privilege has ability read modify transmit sensitive data accessible by scripted user could have account hijacked cookie theft their redirected another location possibly shown fraudulent content delivered they visiting attacks essentially compromise trust relationship between applications utilizing instances which load from file system under local machine allowing there three types attacks: nonpersistent persistent dombased require either visit specially crafted link laced malicious page containing form posted vulnerable mount using oftentimes take place resource only accepts http post requests case submitted automatically without victims knowledge eg javascript upon clicking submitting payload get echoed back interpreted send almost arbitrary adobe occur where its stored period time examples attackers favorite targets often include message board posts mail messages chat unsuspecting not required interact additional sitelink sent via just simply view "
     },
+{
+    "url": "/docs/testapps/crapi/",
+    "title": "OWASP crAPI",
+    "keywords": ["","crapi","owasp"],
+    "tags": null,
+    "summary": "\u003ch3 id=\"overview\"\u003eOverview \u003ca class=\"header-link\" href=\"#overview\"\u003e\u003csvg class=\"fill-current o-60 hover-accent-color-light\" height=\"22px\" viewBox=\"0 0 24 24\" width=\"22px\" xmlns=\"http://www.w3.org/2000/svg\"\u003e\u003cpath d=\"M0 0h24v24H0z\" fill=\"none\"/\u003e\u003cpath d=\"M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z\" fill=\"currentColor\"/\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/h3\u003e\n\u003cp\u003eOWASP crAPI the “completely ridiculous API”.\u003c/p\u003e\n\u003cp\u003eIt is open source, and maintained by OWASP and the community. It’s fairly well documented:\u003c/p\u003e",
+    "content": "overview owasp crapi completely ridiculous api open source maintained by community its fairly documented: home https:owasporgwwwprojectcrapi repo https:githubcomowaspcrapi docker https:hubdockercomucrapi potential pitfalls while we aware least one third party online instance you can never sure how uptodate stable will future project makes images available dockercompose easy local usage authentication youll need create your own account note depending plan may want two accounts there challenges which involve manipulating details another user purposes documentation following was created used: userexamplecom password123 register examplecom email adddresses access web mail client via port 8025 example: http:localhost:8025 browser based zap successfully authenticate app using identify session handling verification recommended environment env: contexts: name: urls: http:localhost:8888 includepaths: excludepaths: http:localhost:8888resetpassword http:localhost:8888identityapiv2userresetpassword authentication: method: parameters: loginpageurl: loginpagewait: browserid: firefoxheadless steps: verification: poll loggedinregex: 200e loggedoutregex: 401e pollfrequency: 60 pollunits: requests pollurl: http:localhost:8888identityapiv2userdashboard pollpostdata: 3434 polladditionalheaders: header: contenttype value: applicationjson sessionmanagement: headers authorization: 34bearer json:token34 technology: structure: users: credentials: password: username: exploration primarily meant illustrate vulnerabilities sense import openapi definition accomplished manually automation framework job such as: type: apiurl: https:rawgithubusercontentcomowaspcrapirefsheadsdevelopopenapispeccrapiopenapispecjson targeturl: context: user: crawling crapis ui simple standard spider able some additional urlsfunctionality best enable logout avoidance july 14th 2025 neither modern spiders effectively explores ajax decide test either consider enabling adding exclusions specific urlselements exclude elements options excludedelements: description: element: span xpath: 34htmlbodydiv2divdivulli2span34 also make forgot password functionality above done part context configuration scanning although has number many them very challenging dast tool only significant that should cannot currently are: nosql injection coupon validation ssrf contact mechanic "
+    },
 {
     "url": "/docs/testapps/juiceshop/",
     "title": "OWASP Juice Shop",
diff --git a/sitemap.xml b/sitemap.xml
@@ -2673,6 +2673,8 @@
     <loc>/docs/alerts/40031/</loc>
   </url><url>
     <loc>/alerttags/out_of_band/</loc>
+  </url><url>
+    <loc>/docs/testapps/crapi/</loc>
   </url><url>
     <loc>/docs/testapps/juiceshop/</loc>
   </url><url>
