REST Security Learning Platform

Welcome to the REST Security Learning Platform

This platform provides hands-on experience with REST API security vulnerabilities and authentication mechanisms. Choose from the available services below to explore different security challenges.

DOs and DON'Ts

Use the verifier that is specified in the exercise. If not specified, set the value to secure.
Solve the tasks by executing the attack in the task description. Using information from previous attacks is not allowed. For instance, a SQLi attack allows you to read the entire database and solve all tasks.
Use the provided OpenAPI files and consider only the paths described in this file.
During your API investigations, you may manipulate the database and thus change the behavior of the API. By calling the /reset endpoint, you can reset the database. This is required when you:

... made a mistake and you need to start from the beginning.
... start investigating a new verifier.

Vulnerable Users API

Easy - Medium

This API contains a user database with read/write access.

Username	Password
natasha_romanoff	blackwidow456

The permissions look as follows:

All normal users can authenticate, read, and update their own profile.
Normal users should not get any further information about any other users.
Only admin users can update the role of users.
Consider every attack as successful when you receive an answer from the server that you have an admin role.

Download OpenAPI

Download Postman Collection

Vulnerable Reports API

Medium - Hard

The API allows users to view, create, delete, and update reports. There are different departments with restricted access between them.

Username	Password
bgreen	password5
asmith	password2

The permissions look as follows:

Employee users can view and update their own reports.
Employee can create reports only for their department.
Manager users can view and update all reports in their department.
Manager users can create reports only for their department.

Download OpenAPI

Download Postman Collection

Vulnerable Shop API

Hard

The API allows simulating an e-commerce marketplace.

Username	Password
user1	password1
seller1	password3

The permissions look as follows:

Customer users can view the shop id.
Customer users can view product information: name, price, picture, id, description.
Seller users can update the products of their shop(s).
Customer and seller users are not allowed to see any information of other users.

Download OpenAPI

Download Postman Collection

Vulnerable Users API

Easy - Medium

Username	Password
natasha_romanoff	blackwidow456

Analyze the Users API OpenAPI file. Consider only endpoints with the tag Warm-up. Authenticate as natasha_romanoff and answer the following questions.

What is your user’s ID and role?

Which paths can you use to figure out your Id and role?

Vulnerable Reports API

Medium - Hard

Username	Password
bgreen	password5
asmith	password2

Analyze the Reports API OpenAPI file. Consider only endpoints with the tag Warm-up. Authenticate as bgreen and answer the following questions.

What is your user’s ID and role?

Which paths can you use to figure out your Id and role?

Determine how you can update the name of your own reports? Which path do you need to invoke?

Vulnerable Shop API

Hard

Username	Password
user1	password1
seller1	password3

Analyze the Shop API OpenAPI file. Consider only endpoints with the tag Warm-up. Authenticate as user1 and answer the following questions.

What is your user’s ID and role?

Do you own shops? If yes, name their IDs?

Who owns the shop Adventure Goods? Name the owner’s ID?

How much does the BMX cost in the shop Bike World?

Vulnerable Users API

Easy - Medium

Username	Password
natasha_romanoff	blackwidow456

Analyze the Users API OpenAPI file. Consider only endpoints with the tag BOLA. There are three Broken Object Level Authorization (BOLA) vulnerabilities in the API. For each vulnerability, you should use verifier=bola-1/2/3 during your investigations. Authenticate as natasha_romanoff and find the vulnerabilities.

Vulnerability 1: verifier=bola-1

💡 Hint?

Consider all paths with the tag BOLA.

Vulnerability 2: verifier=bola-2

💡 Hint?

Consider all paths with the tag BOLA.

Vulnerability 3: verifier=bola-3

💡 Hint?

Consider all paths with the tag BOLA.

Vulnerable Reports API

Medium - Hard

Username	Password
bgreen	password5
asmith	password2

Analyze the Reports API OpenAPI file. Consider only endpoints with the tag BOLA. Consider that users can see only their own reports while managers can see reports of other users only from the same company.

💡 Hint?

To discover the vulnerabilities you need to authenticate with different roles.

Vulnerability 1

Vulnerability 2

Vulnerable Users API

Easy - Medium

Username	Password
natasha_romanoff	blackwidow456

Analyze the Users API OpenAPI file. Consider only endpoints with the tag Authentication Bypass. There are 10 vulnerabilities in the API. For each vulnerability, you should use verifier=auth-1/2/3/4/5/6/7/8/9 during your investigations. Your goal is to authenticate as admin in the role of super_admin.

Vulnerability 1: verifier=auth-1. Find the .

💡 Hint?

Does the authentication work properly? Investigate the access_token.

Vulnerability 2: verifier=auth-2. Find the .

💡 Hint?

Are there multiple mechanisms to authenticate simultaneously?

Vulnerability 3: verifier=auth-3. Find the . Consider attacks related to JWT tokens.

💡 Hint?

What should you always do first before starting any attack?

Vulnerability 4: verifier=auth-4. Find the . Consider attacks related to JWT tokens.

💡 Hint?

Perhaps, some insecure signing algorithms are supported?

Vulnerability 5: verifier=auth-5. Find the . Consider attacks related to JWT tokens.

💡 Hint?

What about different speLliNgS of the algorithm?

Vulnerability 6: verifier=auth-6. Find the . Consider attacks related to JWT tokens.

💡 Hint?

Perhaps, a confusion between symmetric and asymmetric cryptography is applicable. There was an interesting bug recently, in which the modulus was used for HMAC verification.

Vulnerability 7: verifier=auth-7. Find the . Consider attacks related to JWT tokens.

💡 Hint?

Perhaps, a confusion between symmetric and asymmetric cryptography is applicable. The PEM format is just so simple and intuitive. Sometimes, secrets are base64 encoded, so make sure to check the secret base64 encoded checkbox on JWT.io.

Vulnerability 8: verifier=auth-8. Find the . Consider attacks related to JWT tokens.

💡 Hint?

Trust establishment is essential for JWTs. Generating your own key should be no problem for you.

Vulnerability 9: verifier=auth-9

💡 Hint?

Concentrate on Local File Inclusion (LFI) and Server-Side Request Forgery (SSRF).

Vulnerable Users API

Easy - Medium

Username	Password
natasha_romanoff	blackwidow456

Analyze the Users API OpenAPI file. Consider only endpoints with the tag BOPLA. Authenticate as natasha_romanoff and upgrade your role to admin. Set the verifier=bopla-1.

Vulnerable Reports API

Medium - Hard

Username	Password
bgreen	password5
asmith	password2

Analyze the Reports API OpenAPI file. Consider only endpoints with the tag BOPLA. Authenticate with an user having the role employee and find the vulnerabilities. There are two paths vulnerable to Broken Object Property Level Authorization (BOPLA). Find them, describe the problem, and the security impact.

💡 Hint?

Concentrate on Mass assignment.

Vulnerable Shop API

Hard

Username	Password
user1	password1
seller1	password3

Analyze the Shop API OpenAPI file. Consider only endpoints with the tag BOPLA.

Authenticate as user1. Two paths are vulnerable to Excessive Data Exposure by exposing unnecessary sensitive information. Name the paths and describe the problem.

Authenticate as user1. The API is vulnerable to Mass assignment. Discover the two paths allowing you as a customer to overwrite sensitive properties of objects.

Authenticate as seller1. There paths are vulnerable to Excessive Data Exposure by exposing unnecessary sensitive information. Name the paths and describe the problem.

Vulnerable Users API

Easy - Medium

Username	Password
natasha_romanoff	blackwidow456

Analyze the Users API OpenAPI file. Consider only endpoints with the tag BFLA. Authenticate as natasha_romanoff. There is one path vulnerable to Broken Function Level Authorization (BFLA). Describe the problem and the security impact.

Vulnerable Shop API

Hard

Username	Password
user1	password1
seller1	password3

Analyze the Shop API OpenAPI file. Consider only endpoints with the tag BFLA. Authenticate as seller1. There are two paths vulnerable to Broken Function Level Authorization (BFLA). Describe the problem and the security impact.

Vulnerable Reports API

Medium - Hard

Username	Password
bgreen	password5
asmith	password2

Analyze the Reports API OpenAPI file. Authenticate as an user having the role employee. Determine which path and the corresponding parameters are vulnerable to Server-side Request Forgery (SSRF). Show how to exploit the vulnerability.

Vulnerable Shop API

Hard

Username	Password
user1	password1
seller1	password3

Analyze the Shop API OpenAPI file. Authenticate as seller1. Determine which path and the corresponding parameters are vulnerable to Server-side Request Forgery (SSRF). Show how to exploit the vulnerability.

Vulnerable Users API

Easy - Medium

Username	Password
natasha_romanoff	blackwidow456

Analyze the Users API OpenAPI file. Consider only endpoints with the tag SM. There are Security Misconfiguration (SM) vulnerabilities in the API. For each vulnerability, you should use verifier=sm-1/2/3/4/5 during your investigations. Authenticate as natasha_romanoff and find the vulnerabilities.

Vulnerability 1: verifier=sm-1

💡 Hint?

Concentrate on error messages.

Vulnerability 2: verifier=sm-2

💡 Hint?

Concentrate on error messages.

Vulnerability 3: verifier=sm-3

💡 Hint?

Concentrate on deviation in the behavior in dependence of the input.

Vulnerability 4: verifier=sm-4

💡 Hint?

Concentrate on deviation of error messages.

Vulnerability 5: verifier=sm-5

💡 Hint?

Does the API properly sanitize inputs?

Vulnerable Reports API

Medium - Hard

Username	Password
bgreen	password5
asmith	password2

Analyze the Reports API OpenAPI file. Consider only endpoints with the tag Unsafe API. Authenticate as an arbitrary user. Some paths are vulnerable to Unsafe Consumption of APIs by parsing XML files. Your task is to determine which path is vulnerable and describe the security problem.