Login
ChallengesLearn
Scoreboard
Teams
SPNZ

LearnAPI Security
Course

API Security

REST, GraphQL, and the flaws that live in the contract itself. Broken object auth, excessive data exposure, mass assignment — the OWASP API Security Top 10 in practice.

11 lessons156 min total

Curriculum

11 parts in 5 phases
Foundation2 lessons · 24 min
fundLesson 1Beginner

API Security Overview

The OWASP API Security Top 10: BOLA, broken auth, excessive data exposure, mass assignment, and rate limiting. How APIs differ from browser-based apps — no session, no CSRF token, no trust boundary at the HTTP level.

APIOWASPOverview
12 min
fundLesson 2Beginner

API Reconnaissance

Discovering API endpoints, parameters, authentication schemes, and data structures. Swagger/OpenAPI docs, GraphQL introspection, directory brute-force, response fingerprinting — the recon toolkit for API testing.

APIReconDiscovery
12 min
Offense · Core techniques3 lessons · 40 min
coreLesson 3Intermediate

Broken Object Level Authorization

OWASP API #1. The API trusts the client to supply object IDs without verifying ownership. Change one UUID in a JSON body and see another user data — the API version of IDOR.

APIBOLAAuthorization
14 min
coreLesson 4Intermediate

Broken Authentication

OWASP API #2. API keys in URLs, missing credential rotation, no rate limit on login, predictable tokens, JWT flaws specific to API contexts (no HttpOnly, no CSRF as defence, token in query string).

APIAuthJWT
14 min
coreLesson 5Intermediate

Excessive Data Exposure

OWASP API #3. The API returns the full database row — password hash, internal notes, PII — and trusts the client to only render what it needs. Over-fetching in REST and the GraphQL query depth problem.

APIExposureData Leak
12 min
Offense · Deep extraction3 lessons · 42 min
deepLesson 6Advanced

API Mass Assignment

OWASP API #6. The framework binds every field in the JSON body to a model attribute. Send is_admin=true or role=admin in a PATCH request — the model writes it without explicit code.

APIMass AssignmentBinding
12 min
deepLesson 7Advanced

API Rate Limiting & Abuse

OWASP API #4 & #5. Brute-force login via API (no rate limit = unlimited attempts), resource exhaustion via pagination abuse, GraphQL deep query cost attacks, and how API gateways throttle.

APIRate LimitingAbuse
14 min
deepLesson 11Advanced

GraphQL Security Deep Dive

Introspection queries, depth limiting, cost analysis, field-level authorization, persisted queries, batching attacks, and the unique attack surface GraphQL exposes compared to REST. Bypassing disabled introspection via schema guessing.

GraphQLAPIIntrospection
16 min
Discovery & Defense2 lessons · 28 min
defLesson 8Intermediate

API Automated Security Testing

Contract testing, schema fuzzing, OpenAPI/Swagger-based scanning, GraphQL introspection + automated query generation, and CI pipeline integration. How to find API vulnerabilities before they ship.

APITestingAutomation
14 min
defLesson 9Intermediate

API Security Hardening

API gateways, schema validation, response filtering (projection), rate limiting on all endpoints, per-object authorization checks, audit logging of every API call. The production API security checklist.

APIHardeningDefense
14 min
Real-world & Review1 lesson · 22 min
capsLesson 10Intermediate

API Security Review & Practice

A curated set of progressively harder API security challenges: endpoint discovery, BOLA, broken auth, excessive data exposure, mass assignment, rate limit bypass. The API Security course final.

APIReviewPractice
22 min

© 2026 SPNZ.

Terms of ServicePrivacy PolicyCookie Policy