Lab: https://tryhackme.com/room/owaspapisecuritytop105w
Youβre basically spinning up a Windows VM + Talend API Tester + vulnerable Laravel app.
β‘οΈ This environment is pre-configured for testing API vulnerabilities.
- Connected to VM successfully
- Tools auto-launched
- Ready for API testing
API = bridge between applications.
- Client sends request
- Server responds
- Defined via API documentation
π APIs are core building blocks of modern apps
- LinkedIn β 700M users scraped via API
- Twitter β 5.4M users exposed
- PIXLR β 1.9M records leaked
β‘οΈ Lesson: APIs = high-value attack surface
- Sample records β 1 million
- API docs useless? β No (nay)
API exposes data using IDs but doesnβt check who is requesting.
β‘οΈ ID change = data leak
GET /apirule1_v/user/1
β‘οΈ Returns user data without any auth check.
GET /apirule1_v/user/2
β‘οΈ Just increment ID β access other users.
- Total employees β 3
- Flag (ID=2) β THM{838123}
- Username (ID=3) β Bob
- No authorization check
- Predictable IDs
- Direct object reference
- Authorization tokens
- Role validation
- Use UUIDs
Login system is flawed β password not validated.
POST /apirule2/user/login_v
email=hr@mht.com&password=anything
β‘οΈ Login works even with wrong password π
cOC%Aonyis%H)mZ&uJkuI?_W#4&m>Y
β‘οΈ Token issued without proper auth.
GET /apirule2/user/details
Authorization-Token: <token>
β‘οΈ Full account takeover.
- SQL checks only email
- Password ignored
- Token issued blindly
- Validate password properly
- Use hashing (bcrypt)
- MFA + JWT
- GET request for creds? β No (nay)
API returns too much information, expecting frontend to filter.
β‘οΈ Attacker intercepts raw response β gets secrets.
GET /apirule3/comment_v/2
β‘οΈ Returns full dataset including hidden fields.
- Device ID β iOS15.411
GET /apirule3/comment_v/3
β‘οΈ Username β hacker#!
- Backend sends everything
- No filtering
- Trusting frontend
- Return minimal data
- Avoid generic serializers
- Validate API responses
- Network-level fix only? β No (nay)
No request limits β attackers can spam endpoints.
β‘οΈ Leads to DoS or financial abuse.
POST /apirule4/sendOTP_s
email=hr@mht.com
β‘οΈ Response β 200
POST /apirule4/sendOTP_s
email=sale@mht.com
Invalid Email
- No rate limiting
- Unlimited requests
- Resource exhaustion
- Rate limiting (time-based)
- CAPTCHA
- Request quotas
- Rate limiting at network level? β Yes (yea)
User can escalate privileges by manipulating request parameters.
GET /apirule5/users_v
Authorization-Token: YWxpY2U6dGVzdCFAISM6Nzg5Nzg=
isAdmin: 1
β‘οΈ Normal user accesses admin data πΆ
- Alice mobile β +1235322323
- Admin flag β THM{3432$@#2!}
- Trusting client input (
isAdmin) - No backend role validation
- Enforce RBAC server-side
- Ignore client-controlled role fields
- isAdmin in hidden field safe? β No (nay)
This lab basically drills 5 core API failures:
- BOLA β ID-based data leaks
- BUA β Broken login logic
- Data Exposure β Too much data returned
- No Rate Limiting β Abuse possible
- Function Auth β Privilege escalation
π APIs fail mainly due to trust assumptions:
- Trusting IDs β BOLA
- Trusting login β BUA
- Trusting frontend β Data leak
- No limits β Abuse
- Trusting user roles β Admin bypass
If this helped, connect here:
- GitHub: https://github.com/AdityaBhatt3010
- LinkedIn: https://www.linkedin.com/in/adityabhatt3010/
- Medium: https://medium.com/@adityabhatt3010
More writeups soon β cleaner, deeper, and slightly unhinged πΏπ₯