Lab
Great — if you're looking to learn penetration testing using vulnerable APIs, you're on the right track. Practicing in safe, legal environments is essential. Below are some of the best intentionally vulnerable APIs and platforms designed for learning and safely practicing API security and pen testing:
🛠️ Top Vulnerable APIs for Learning Penetration Testing
1. Damn Vulnerable REST API (DVRA)
What it is: A deliberately insecure RESTful API built to teach API security.
Tech Stack: Java (Spring Boot)
What you can learn: OWASP API Top 10 vulnerabilities such as broken authentication, mass assignment, injection, etc.
2. VAmPI
What it is: A vulnerable API written in Python (Flask) for practicing API security testing.
Includes: Common vulnerabilities including Insecure Direct Object References (IDOR), broken auth, and SQL injection.
GitHub: https://github.com/erev0s/VAmPI
3. OWASP crAPI (Completely Ridiculous API)
What it is: A purposely vulnerable and ridiculous API designed by OWASP.
Use case: Teaches real-world scenarios with OWASP API Security Top 10.
Setup: Docker-based, comes with both frontend and backend.
GitHub: https://github.com/OWASP/crAPI
4. Juice Shop (API layer included)
What it is: An intentionally insecure web app from OWASP that includes RESTful API endpoints.
Good for: Practicing both web and API security.
Features: Challenges, scoreboard, and hints.
5. Hackazon
What it is: A vulnerable web app that mimics a real e-commerce site.
API Testing Use: Has REST API endpoints that can be targeted for testing.
Note: No longer actively maintained, but still functional in labs.
⚙️ Tools to Use with These APIs
Burp Suite (Community Edition is free): Intercept, analyze, and exploit API calls.
Postman: Great for interacting with the API while inspecting requests/responses.
OWASP ZAP: Free and open-source alternative to Burp for active scanning.
Absolutely — here are more vulnerable API environments and platforms to help you deepen your penetration testing skills. These vary from lightweight APIs to full simulation labs that mimic real-world scenarios.
6. API Security Labs by Escape
What it is: A browser-based playground with multiple intentionally vulnerable API challenges.
Topics covered: Broken object-level authorization (BOLA), JWT attacks, mass assignment, rate limiting bypasses, etc.
No setup required: Just sign in and start hacking.
Link: https://lab.apisec.ai
7. Penetration Testing Practice Labs (PT Labs)
What it is: Part of PortSwigger’s Web Security Academy — includes vulnerable API endpoints in realistic scenarios.
Tools needed: Burp Suite
Real-world training: Simulates scenarios from OWASP API Top 10.
8. HackTheBox — Starting Point / API-related Boxes
What it is: Hands-on hacking platform with virtual machines that include APIs.
Best for: Intermediate learners; includes some boxes with insecure REST and GraphQL APIs.
Free & paid tiers: Great to level up after basic labs.
Link: https://hackthebox.com
9. TryHackMe — "OWASP API Security" Room
What it is: Guided lab focused specifically on API vulnerabilities.
Beginner-friendly: Includes walkthroughs, theory, and practical tasks.
Requires: TryHackMe account (free/paid)
Link: https://tryhackme.com → Search for “API Security”
10. GraphQL-GOAT
What it is: An intentionally vulnerable GraphQL server.
Built for: Learning GraphQL API-specific attacks like introspection, aliasing, deep queries, etc.
👨💻 Want to Go Further?
Here are advanced vulnerable APIs and environments:
11. bWAPP (Buggy Web App)
API endpoints: While primarily a web app, it includes mobile and REST API vulnerabilities.
Wide vulnerability coverage: Over 100 types of issues.
Setup: Easy with XAMPP or Docker.
12. SecApps Labs
Online lab: Offers interactive testing environments, including APIs and web services.
Browser-based tools: No setup needed.
Free tier: Good for quick practice.
Link: https://secapps.com/labs
Last updated
Was this helpful?