API Security Lab

Exploit common API vulnerabilities to capture flags

Level 1: Broken Authentication (Easy) Level 2: Excessive Data Exposure (Easy) Level 3: Mass Assignment (Medium) Level 4: JWT Token Manipulation (Medium)
Medium Level 3: Mass Assignment

Objective

Login as a regular user, then update your profile. The API accepts any field you send - try adding extra fields to escalate privileges.
Login: POST /api/login {"username":"alice","password":"alice123"}
Then: PUT /api/profile with extra fields in the body.

Test Credentials

alice: alice123(user)
bob: bob456(user)
admin: admin789(admin)
API Request
API Response
Waiting for request...
// Response will appear here
FLAG CAPTURED!
Hint: Send a PUT request to /api/profile with your token. In the JSON body, add {"role": "admin"} along with other fields. The API accepts any field due to mass assignment vulnerability.