Vulnerable API: vulnerable to a number of vulnerabilities on the OWASP API top 10
Vulnerable API
This is a Laravel App which I’ve used for several demos which is vulnerable to a number of vulnerabilities on the OWASP API top 10. This is not a CTF, the bugs are quite clear and not hidden, however, I suspect this will be a useful demo!
Vulnerabilities
Find out more about the OWASP API Top 10
- API1:2019 Broken Object Level Authorization
- API2:2019 Broken User Authentication
- API3:2019 Excessive Data Exposure
- API5:2019 Broken Function Level Authorization
- API6:2019 Mass Assignment
- API7:2019 Security Misconfiguration
Your Goals
- Find the emails of the administrator
- Brute forces the API to find new endpoints
- Find out what grades everyone got in a class
- Edit someone’s grade
- Make an account
- Access the GraphQL API
- Change another account’s password
- Login to your account
- Access admin API
- Find out what vulnerabilities the IT admins have ignored
- Make your account an admin
- Access the admin control panel
- Fire a blind XSS in the admin control panel and validate with your new admin account
- Delete everything
- Restore everything
