Login
ChallengesLearn
Scoreboard
Teams
SPNZ

LearnAPI SecurityAPI Security Review & Practice
API Security·Lesson 10 of 11

API Security Review & Practice

A curated set of progressively harder API security challenges: endpoint discovery, BOLA, broken auth, excessive data exposure, mass assignment, rate limit bypass. The API Security course final.

Intermediate22 min
APIReviewPractice
Loading lesson…
PreviousAPI Security HardeningNextGraphQL Security Deep Dive

© 2026 SPNZ.

Terms of ServicePrivacy PolicyCookie Policy

This capstone brings together everything you have learned about API security. Four progressive challenges simulate real-world attack paths from endpoint discovery through to privilege escalation, testing your ability to find and exploit common API vulnerabilities.

What you'll be able to do
  • Discover hidden API endpoints through directory enumeration.
  • Exploit a broken object level authorisation (BOLA) vulnerability.
  • Intercept and replay a token leaked in a URL parameter.
  • Extract excessive data from a verbose API response.
  • Perform a mass assignment attack to escalate privileges.
Key terms
OWASP API Security Top 10
A list of the ten most critical API security risks published by OWASP, including Broken Object Level Authorisation (BOLA), Broken Authentication, Excessive Data Exposure, and Mass Assignment.
Broken Object Level Authorisation (BOLA)
A vulnerability where an API endpoint fails to verify that the authenticated user has permission to access a specific object, typically by trusting a user-supplied identifier without an ownership check.
Mass Assignment
A vulnerability where an API binds request body fields directly to a model or database record without filtering, allowing an attacker to set fields (e.g. role=admin) that were never intended to be user-modifiable.
Excessive Data Exposure
A vulnerability where an API response includes more fields than the client needs, often by returning the full database entity instead of a projection or DTO.
What is it?

Four API attacks in one capstone

The OWASP API Security Top 10 is the industry standard checklist for API security. Unlike web application vulnerabilities that often require complex chaining, API flaws are frequently business-logic bugs — the endpoint works exactly as coded, but the developer forgot to check ownership, filter the response, or protect a hidden endpoint. This review walks through the four most common API vulnerabilities from the OWASP Top 10.

Challenge 1 combines endpoint discovery with BOLA. You will find a hidden /admin/api/users endpoint and exploit a missing ownership check to access another user's data. Challenge 2 covers broken authentication: a token leaked in a URL parameter that you can intercept and replay. Challenge 3 demonstrates excessive data exposure: a verbose API endpoint that returns PII fields that the client does not need. Challenge 4 is mass assignment: sending an extra field in a PATCH request that escalates your role to admin.

Try it

API Security Review Lab

Click each challenge to read the scenario, then use the request builder to craft your exploit. Try to capture all four flags.

api-review-labdev
Hhacker
challenge-1 · API1:2019 BOLA

Challenge 1: Endpoint Discovery + BOLA

You are a low-privilege user. The main API returns your own data via /api/users/me. There is a hidden admin endpoint somewhere under /admin/api/. Find it and access another user's record by changing the ID.

Hint

Try /admin/api/users or /admin/api/users/1

Response
Send a request to see the response.
Access log

No requests yet.

Challenge progression
Mini Map
Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.
Real-world relevance

API flaws are business-logic bugs, not memory corruption

Unlike buffer overflows or SQL injection, most API vulnerabilities are simple oversights in business logic. The developer adds a new endpoint, copies a pattern from another endpoint, but forgets to add the ownership check. Or they return the entire database row to save time writing a DTO. Or they bind request body fields directly to the model without an allowlist. These are not exotic bugs — they happen every day in every organisation that builds APIs.

The OWASP API Security Top 10 exists because traditional web scanners miss these flaws. A scanner can find SQL injection, but it cannot tell whether /api/orders/123 returns order 123 because the authenticated user owns it or because the developer forgot to check. These vulnerabilities require human understanding of the application's authorisation model. That is why API security must be a continuous practice — every new endpoint is a new attack surface that must be manually reviewed.

Mitigation

Fixing each vulnerability class

For BOLA, the fix is always the same: compare the owner of the requested resource against the authenticated user. Use a parameterised user ID from the session, not from the URL or request body. For broken authentication, never pass tokens in URL parameters — use the Authorisation header or a secure httpOnly cookie, and enforce a short token expiry. For excessive data exposure, never return the full database entity from an API endpoint. Write a projection (a DTO or a GraphQL resolver) that returns only the fields the client needs.

typescriptsafe
// FIX BOLA — check ownership against session
app.get('/api/users/:id', (req, res) => {
  const sessionUser = req.session.userId;  // from session, not from URL
  const requestedId = parseInt(req.params.id);
  if (sessionUser !== requestedId) {
    return res.status(403).json({ error: 'forbidden' });
  }
  // ...
});

// FIX Excessive Data — projection / DTO
function toUserDTO(user: User): UserDTO {
  return {
    id: user.id,
    name: user.name,
    email: user.email,
    // deliberate: no SSN, no credit score
  };
}

// FIX Mass Assignment — allowlist fields
const ALLOWED_PATCH = new Set(['name', 'email', 'avatar']);
app.patch('/api/profile', (req, res) => {
  const update: Record<string, unknown> = {};
  for (const key of Object.keys(req.body)) {
    if (ALLOWED_PATCH.has(key)) update[key] = req.body[key];
  }
  // update only allowed fields
});

For mass assignment, never use a library function that binds the entire request body to a model (e.g. User.update(req.body)). Instead, explicitly define an allowlist of fields that can be updated. This applies to both JSON and form-encoded bodies. The OWASP API Security Top 10 is not a one-time checklist — it is a living document that should be reviewed with every new feature release.

Key takeaways

What to remember

  • BOLA is the most common API vulnerability — every endpoint that references an object by ID must check ownership.
  • Never put tokens in URL parameters; use the Authorisation header or secure cookies.
  • Always return a projection (DTO) from API endpoints, never the raw database entity.
  • Use an allowlist for PATCH/PUT request bodies to prevent mass assignment.
  • API security is continuous — every new endpoint adds attack surface and must be reviewed against the OWASP API Security Top 10.
Further reading
  • OWASP API Security Top 10(OWASP)
  • OWASP REST Security Cheat Sheet(OWASP)
  • CWE-639: Authorisation Bypass Through User-Controlled Key(MITRE CWE)

Knowledge check

0/3 answered · 0 correct

  1. 1.Which vulnerability occurs when an API endpoint binds the entire request body to a database model without filtering fields?

  2. 2.What is the root cause of Broken Object Level Authorisation (BOLA)?

  3. 3.Why are traditional web vulnerability scanners ineffective at finding most API security flaws?