API Security Lab

Exploit common API vulnerabilities to capture flags

Level 1: Broken Authentication (Easy) Level 2: Excessive Data Exposure (Easy) Level 3: Mass Assignment (Medium) Level 4: JWT Token Manipulation (Medium)
Easy Level 1: Broken Authentication

Objective

Find the flag by accessing the admin users endpoint. No authentication is required to access this API endpoint.
Try: GET /api/admin/users

Test Credentials

alice: alice123(user)
bob: bob456(user)
admin: admin789(admin)
API Request
API Response
Waiting for request...
// Response will appear here
FLAG CAPTURED!
Hint: The admin users endpoint has no authentication check. Simply send a GET request to /api/admin/users without any token. The flag is in the response under the secret field.