Complete API Penetration Testing Lab Setup Guide

Posted on

Setting up a proper lab environment is the first and most important step in learning API penetration testing. In this guide, we will configure a complete API testing lab using Kali Linux and industry-standard tools like Postman, Burp Suite, Wfuzz, and Kiterunner.

All tools used in this lab are free versions. However, keep in mind that some community editions (such as Burp Suite Community) have limitations like throttled scans. For professional environments, upgrading to enterprise versions is recommended. For learning purposes, the free versions are completely sufficient.

1. Install a Hypervisor (VMware)

To run Kali Linux safely, we will install it inside a virtual machine.

I will be using VMware Workstation Pro, but you can use alternatives if needed.

Note: Broadcom has acquired VMware. You must register for an account to download VMware Workstation Pro.

Steps:

  1. Register at the Broadcom VMware Registration portal.
  2. Navigate to My Downloads.
  3. Locate VMware Workstation Pro.
  4. Download the version compatible with your operating system.
  5. Install VMware.

Alternative Hypervisors

If you prefer not to use VMware:

2. Install Kali Linux

Download the Kali VMware 64-bit VM from:

https://www.kali.org/get-kali/#kali-virtual-machines

For Apple devices (ARM64 version):

https://www.kali.org/get-kali/#kali-virtual-machines

Alternative instructions for Apple Silicon:
Install Kali Linux ARM on Apple Silicon Instructions for QEMU

For additional installation help:
https://www.kali.org/docs/installation/

Default Credentials:

User: kali
Pass: kali

3. Update Kali Linux

After booting Kali, open Terminal and run:

sudo apt update -y
sudo apt upgrade -y
sudo apt dist-upgrade -y

This ensures your system and tools are fully updated.

4. Update User Accounts

It is important to change default credentials and create a new user.

sudo passwd kali
sudo useradd -m hapihacker
sudo usermod -a -G sudo hapihacker
sudo chsh -s /bin/zsh hapihacker
sudo passwd hapihacker

This improves security and prepares your environment for professional practice.

5. Install Burp Suite Community Edition

Burp Suite usually comes preinstalled in Kali. If not:

sudo apt-get install burpsuite -y

Install Jython

Download from:
https://www.jython.org/download.html

Add the .jar file inside Burp → Extension Options.

Install Autorize Extension

  • Go to Extension BApp Store
  • Search for Autorize
  • Install it

6. Proxy Traffic Setup

Capturing HTTP traffic is critical for API testing.

You may use:

  • Built-in Burp Suite browser
  • FoxyProxy (recommended for reverse engineering APIs)

Install FoxyProxy Standard (Firefox)

Open Firefox and:

  1. Press CTRL + Shift + A
  2. Search for FoxyProxy Standard
  3. Install it

Configure Proxy 1 (BurpSuite)

  • Host: 127.0.0.1
  • Port: 8080
  • Rename: BurpSuite

Configure Proxy 2 (Postman)

  • Host: 127.0.0.1
  • Port: 5555
  • Rename: Postman

7. Install Burp Suite Certificate

  1. Start Burp Suite
  2. Enable BurpSuite proxy (8080)
  3. Visit: http://burpsuite
  4. Download CA Certificate
  5. Import certificate into browser (Firefox or Chrome)

After importing the PortSwigger CA certificate, HTTPS interception will work correctly.

8. MITMweb Certificate Setup

Stop Burp Suite (since it uses port 8080).

Start mitmweb:

mitmweb
  1. Enable FoxyProxy (8080)
  2. Visit: mitm.it
  3. Download mitmproxy-ca-cert.pem
  4. Import certificate into Firefox

9. Install Postman

Postman is required for API request testing.

sudo wget https://dl.pstmn.io/download/latest/linux64 -O postman-linux-x64.tar.gz && sudo tar -xvzf postman-linux-x64.tar.gz -C /opt && sudo ln -s /opt/Postman/Postman /usr/bin/postman

10. Install Git

sudo apt-get install git

11. Install Docker

sudo apt install docker.io -y
sudo apt-get install docker.io docker-compose

12. Install mitmproxy2swagger

git clone https://github.com/alufers/mitmproxy2swagger.git
cd mitmproxy2swagger
sudo docker build -t mitmproxy2swagger .

13. Install Go

sudo apt install golang-go

14. Install JSON Web Token Toolkit v2

cd /opt
sudo git clone https://github.com/ticarpi/jwt_tool
cd jwt_tool
python3 -m pip install -r requirements.txt --break-system-packages

Optional alias:

sudo chmod +x jwt_tool.py
sudo ln -s /opt/jwt_tool/jwt_tool.py /usr/bin/jwt_tool

15. Install Sublime Text

Install GPG key:

wget -qO - https://download.sublimetext.com/sublimehq-pub.gpg | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/sublimehq-archive.gpg > /dev/null

Select stable channel:

echo "deb https://download.sublimetext.com/ apt/stable/" | sudo tee /etc/apt/sources.list.d/sublime-text.list

Install:

sudo apt-get update
sudo apt-get install sublime-text

16. Install Kiterunner

sudo git clone https://github.com/assetnote/kiterunner.git
cd kiterunner
sudo make build
sudo ln -s /opt/kiterunner/dist/kr /usr/bin/kr

17. Install Arjun

sudo git clone https://github.com/s0md3v/Arjun.git
cd Arjun
pip3 install arjun

18. Install OWASP ZAP

Install:

sudo apt install zaproxy

Tool reference:
https://www.kali.org/tools/zaproxy/

After installation:

  • Press CTRL + U
  • Update:
    • Fuzzer
    • OpenAPI Support

19. Useful Wordlists

SecLists

sudo wget -c https://github.com/danielmiessler/SecLists/archive/master.zip -O SecList.zip \
&& sudo unzip SecList.zip \
&& sudo rm -f SecList.zip

Hacking-APIs

sudo wget -c https://github.com/hAPI-hacker/Hacking-APIs/archive/refs/heads/main.zip -O HackingAPIs.zip \
&& sudo unzip HackingAPIs.zip \
&& sudo rm -f HackingAPIs.zip

Leave a Reply

Your email address will not be published. Required fields are marked *