API Badge

users completed icon
54 Completed
video icon
43 Videos
book icon
41 Exercises

The API badge is our set of exercises created to help you learn API testing. The first few challenges are based on challenges you already solved to get you more confident with API testing and review your knowledge and methodology. Then, harder challenges are provided to get you to the next level.

Exercises

Easy
API 01
  • This exercise is the API version of an exercise you already solved in the Essential Badge. You should use it to get more confident with discovering vulnerabilities without any hint on what to look for.
  • 1 video
  • Completed by 3335 students
  • Takes < 1 Hr. on average
  • Rails/Angular
  • API
  • cwe-639,cwe-284

 

Easy
API 02
  • This exercise is the API version of an exercise you already solved in another badge. You should use it to get more confident with discovering vulnerabilities without any hint on what to look for.
  • 1 video
  • Completed by 2838 students
  • Takes < 1 Hr. on average
  • Rails/Angular
  • API
  • CWE-327

 

Easy
API 03
  • This exercise is the API version of an exercise you already solved in another badge. You should use it to get more confident with discovering vulnerabilities without any hint on what to look for.
  • 1 video
  • Completed by 2233 students
  • Takes < 1 Hr. on average
  • Rails/Angular
  • API
  • CWE-327

 

Easy
API 04
  • This exercise covers how one can inspect JavaScript code to identify unused endpoints.
  • 1 video
  • Completed by 2251 students
  • Takes < 1 Hr. on average
  • Rails/Angular
  • API, Angular
  • CWE-1028

 

Easy
API 05
  • This exercise covers how one can inspect JavaScript code to identify unused endpoints.
  • 1 video
  • Completed by 2070 students
  • Takes < 1 Hr. on average
  • Rails/Angular
  • API, Angular
  • CWE-1028

 

Easy
API 06
  • This exercise covers how one can inspect JavaScript code to identify unused endpoints.
  • 1 video
  • Completed by 1784 students
  • Takes < 1 Hr. on average
  • Rails/Angular
  • API, Angular
  • CWE-1028

 

Medium
API 07
  • This exercise covers how one can inspect JavaScript code to identify information leak.
  • 1 video
  • Completed by 1648 students
  • Takes < 1 Hr. on average
  • Rails/Angular
  • API, Angular
  • CWE-950

 

Medium
API 08
  • This exercise covers how one can inspect HTTP responses to identify information leaks.
  • 1 video
  • Completed by 1561 students
  • Takes < 1 Hr. on average
  • Rails/Angular
  • CWE-200

 

Medium
API 09
  • This exercise covers how one can inspect HTTP responses to identify information leaks.
  • 1 video
  • Completed by 761 students
  • Takes < 1 Hr. on average
  • Rails/Angular

 

Medium
API 10
  • This exercise covers a common filter bypass in API.
  • 1 video
  • Completed by 628 students
  • Takes < 1 Hr. on average
  • Golang/Vue

 

Medium
API 11
  • This exercise covers a common filter bypass in API.
  • 1 video
  • Completed by 568 students
  • Takes < 1 Hr. on average
  • Golang/Vue

 

Medium
API 12
  • This exercise covers a common filter bypass in API.
  • 1 video
  • Completed by 536 students
  • Takes < 1 Hr. on average
  • Golang/Vue

 

Hard
API 13
  • This exercise covers a complex filter bypass in API.
  • 1 video
  • Completed by 484 students
  • Takes < 1 Hr. on average
  • Golang/Vue

 

Medium
API 14
  • This exercise covers how to exploit a leaked encrypted password with an API.
  • 1 video
  • Completed by 498 students
  • Takes < 1 Hr. on average
  • Golang/Vue

 

Hard
API 15
  • This exercise covers how to exploit a leaked encrypted password with an API.
  • 1 video
  • Completed by 441 students
  • Takes < 1 Hr. on average
  • Golang/Vue

 

Medium
API 16
  • This exercise covers how to exploit an authorization issue in an API.
  • 2 videos
  • Completed by 346 students
  • Takes < 1 Hr. on average
  • Golang

 

Medium
API 17
  • This exercise covers how to exploit an authorization issue in an API.
  • 2 videos
  • Completed by 261 students
  • Takes < 1 Hr. on average
  • Golang

 

Medium
API 18
  • This exercise covers how to exploit an authorization issue in an API.
  • 2 videos
  • Completed by 247 students
  • Takes < 1 Hr. on average
  • Golang

 

Medium
API 19
  • This exercise covers how to exploit an authorization issue in an API.
  • 1 video
  • Completed by 263 students
  • Takes < 1 Hr. on average
  • Golang

 

Medium
API 20
  • This exercise covers how to exploit an authorization issue in an API.
  • 1 video
  • Completed by 243 students
  • Takes < 1 Hr. on average
  • Golang

 

Easy
API JWT REVOCATION
  • This exercise covers how to bypass a weak JWT Revocation Mechanism.
  • 1 video
  • Completed by 261 students
  • Takes < 1 Hr. on average
  • Ruby-on-Rails
  • jwt

 

Medium
API Mass-Assignment 01
  • 1 video
  • Completed by 258 students
  • Takes < 1 Hr. on average
  • Ruby-on-Rails

 

Medium
API Mass-Assignment 02
  • 1 video
  • Completed by 237 students
  • Takes < 1 Hr. on average
  • Ruby-on-Rails

 

Medium
API Mass-Assignment 03
  • 1 video
  • Completed by 211 students
  • Takes < 1 Hr. on average
  • Ruby-on-Rails

 

Easy
API Payments 01
  • This exercise covers a simple payments bypass.
  • 2 videos
  • Completed by 1807 students
  • Takes < 1 Hr. on average
  • Rails/Angular
  • API
  • CWE-288,CWE-354,CWE-472

 

Medium
API Payments 02
  • This exercise covers a simple payments bypass.
  • 2 videos
  • Completed by 1335 students
  • Takes < 1 Hr. on average
  • Rails/Angular
  • CWE-354,CWE-472

 

Medium
API Payments 03
  • This exercise covers a simple payments bypass.
  • 2 videos
  • Completed by 1173 students
  • Takes < 1 Hr. on average
  • Rails/Angular
  • CWE-354,CWE-472

 

Medium
API Payments 04
  • This exercise covers how to abuse a shopping cart allowing users to apply a voucher..
  • 2 videos
  • Completed by 1076 students
  • Takes < 1 Hr. on average
  • Rails/Angular
  • CWE-472

 

Hard
API Payments 05
  • This exercise covers how to abuse a shopping cart allowing users to apply a voucher.
  • 1 video
  • Completed by 803 students
  • Takes < 1 Hr. on average
  • Rails/Angular
  • CWE-345,CWE-693

 

Medium
API Payments 06
  • This exercise covers a simple payments bypass.
  • 2 videos
  • Completed by 870 students
  • Takes < 1 Hr. on average
  • Rails/Angular
  • CWE-472

 

Medium
API Payments 07
  • This exercise covers a way to manipulate a shopping cart to lower the total amount
  • 2 videos
  • Completed by 836 students
  • Takes < 1 Hr. on average
  • Rails/Angular
  • CWE-353

 

Easy
GraphQL Authorization 01
  • This exercise covers a simple authorization issue in a GraphQL application.
  • 1 video
  • Completed by 239 students
  • Takes < 1 Hr. on average
  • GraphQL/Node

 

Easy
GraphQL Authorization 02
  • This exercise covers a simple authorization issue in a GraphQL application.
  • 1 video
  • Completed by 251 students
  • Takes < 1 Hr. on average
  • GraphQL/Node

 

Medium
Mongo IDOR
  • This challenge covers how to exploit an IDOR when Mongo IDs are used
  • 1 video
  • Completed by 1036 students
  • Takes < 1 Hr. on average
  • ROR/MongoDB

 

Medium
Mongo IDOR II
  • This challenge covers how to recover a Mongo ID to leverage an IDOR
  • Completed by 186 students
  • Takes < 1 Hr. on average
  • ROR/MongoDB

 

Medium
Mongo IDOR III
  • Completed by 119 students
  • Takes < 1 Hr. on average
  • ROR/MongoDB

 

Hard
Mongo IDOR IV
  • Completed by 63 students
  • Takes 2-4 Hrs. on average
  • ROR/MongoDB

 

Medium
ORM LEAK 01
  • This exercise covers how to exploit a simple ORM leak.
  • Completed by 171 students
  • Takes 1-2 Hrs. on average
  • Python

 

Medium
ORM LEAK 02
  • This exercise covers how to exploit an ORM leak vulnerability
  • Completed by 144 students
  • Takes < 1 Hr. on average
  • Python

 

Medium
ORM LEAK: SQLite
  • This exercise covers how to exploit an ORM leak vulnerability
  • Completed by 98 students
  • Takes 1-2 Hrs. on average
  • Python

 

Medium
UUIDv1 IDOR
  • Completed by 128 students
  • Takes 1-2 Hrs. on average
  • ROR