Lab

GitHub - omkar-ukirde/api-pentesting: API Pentesting notes.GitHub

GitHub - snoopysecurity/dvws: Damn Vulnerable Web Services is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities. NOTE: This project is out of date, please use https://github.com/snoopysecurity/dvws-nodeGitHub

GitHub - rahulunair/vulnerable-api: This repository contains an example Python API that is vulnerable to several different web API attacks.GitHub

GitHub - inonshk/31-days-of-API-Security-Tips: This challenge is Inon Shkedy's 31 days API Security Tips.GitHub

Application Security Training For Developers | KontraKontra

GitHub - omkar-ukirde/api-pentesting: API Pentesting notes.GitHub

https://portswigger-net.cdn.ampproject.org/c/s/portswigger.net/daily-swig/amp/introducing-vapi-an-open-source-lab-environment-to-learn-about-api-securityportswigger-net.cdn.ampproject.org

404 - Hakin9 - IT Security MagazineHakin9 - IT Security Magazine

GitHub - roottusk/vapi: vAPI is Vulnerable Adversely Programmed Interface which is Self-Hostable API that mimics OWASP API Top 10 scenarios through Exercises.GitHub

Great — if you're looking to learn penetration testing using vulnerable APIs, you're on the right track. Practicing in safe, legal environments is essential. Below are some of the best intentionally vulnerable APIs and platforms designed for learning and safely practicing API security and pen testing:

🛠️ Top Vulnerable APIs for Learning Penetration Testing

1. Damn Vulnerable REST API (DVRA)

What it is: A deliberately insecure RESTful API built to teach API security.
Tech Stack: Java (Spring Boot)
What you can learn: OWASP API Top 10 vulnerabilities such as broken authentication, mass assignment, injection, etc.
GitHub: https://github.com/ErkanBasar/DVRA

2. VAmPI

What it is: A vulnerable API written in Python (Flask) for practicing API security testing.
Includes: Common vulnerabilities including Insecure Direct Object References (IDOR), broken auth, and SQL injection.
GitHub: https://github.com/erev0s/VAmPI

3. OWASP crAPI (Completely Ridiculous API)

What it is: A purposely vulnerable and ridiculous API designed by OWASP.
Use case: Teaches real-world scenarios with OWASP API Security Top 10.
Setup: Docker-based, comes with both frontend and backend.
GitHub: https://github.com/OWASP/crAPI

4. Juice Shop (API layer included)

What it is: An intentionally insecure web app from OWASP that includes RESTful API endpoints.
Good for: Practicing both web and API security.
Features: Challenges, scoreboard, and hints.
GitHub: https://github.com/juice-shop/juice-shop

5. Hackazon

What it is: A vulnerable web app that mimics a real e-commerce site.
API Testing Use: Has REST API endpoints that can be targeted for testing.
Note: No longer actively maintained, but still functional in labs.

⚙️ Tools to Use with These APIs

Burp Suite (Community Edition is free): Intercept, analyze, and exploit API calls.
Postman: Great for interacting with the API while inspecting requests/responses.
OWASP ZAP: Free and open-source alternative to Burp for active scanning.

Absolutely — here are more vulnerable API environments and platforms to help you deepen your penetration testing skills. These vary from lightweight APIs to full simulation labs that mimic real-world scenarios.

6. API Security Labs by Escape

What it is: A browser-based playground with multiple intentionally vulnerable API challenges.
Topics covered: Broken object-level authorization (BOLA), JWT attacks, mass assignment, rate limiting bypasses, etc.
No setup required: Just sign in and start hacking.
Link: https://lab.apisec.ai

7. Penetration Testing Practice Labs (PT Labs)

What it is: Part of PortSwigger’s Web Security Academy — includes vulnerable API endpoints in realistic scenarios.
Tools needed: Burp Suite
Real-world training: Simulates scenarios from OWASP API Top 10.
Link: https://portswigger.net/web-security

What it is: Hands-on hacking platform with virtual machines that include APIs.
Best for: Intermediate learners; includes some boxes with insecure REST and GraphQL APIs.
Free & paid tiers: Great to level up after basic labs.
Link: https://hackthebox.com

9. TryHackMe — "OWASP API Security" Room

What it is: Guided lab focused specifically on API vulnerabilities.
Beginner-friendly: Includes walkthroughs, theory, and practical tasks.
Requires: TryHackMe account (free/paid)
Link: https://tryhackme.com → Search for “API Security”

10. GraphQL-GOAT

What it is: An intentionally vulnerable GraphQL server.
Built for: Learning GraphQL API-specific attacks like introspection, aliasing, deep queries, etc.
GitHub: https://github.com/swisskyrepo/GraphQL-GOAT

👨‍💻 Want to Go Further?

Here are advanced vulnerable APIs and environments:

11. bWAPP (Buggy Web App)

API endpoints: While primarily a web app, it includes mobile and REST API vulnerabilities.
Wide vulnerability coverage: Over 100 types of issues.
Setup: Easy with XAMPP or Docker.
GitHub: https://github.com/raffaeleflorio/bwapp-docker

12. SecApps Labs

Online lab: Offers interactive testing environments, including APIs and web services.
Browser-based tools: No setup needed.
Free tier: Good for quick practice.
Link: https://secapps.com/labs

PreviousMind map NextChecklist

Last updated 6 months ago

hashtag🛠️ Top Vulnerable APIs for Learning Penetration Testing

hashtag⚙️ Tools to Use with These APIs

hashtag6. API Security Labs by Escape

hashtag7. Penetration Testing Practice Labs (PT Labs)

hashtag8. HackTheBox — Starting Point / API-related Boxes

hashtag9. TryHackMe — "OWASP API Security" Room

hashtag10. GraphQL-GOAT

hashtag👨‍💻 Want to Go Further?

hashtag11. bWAPP (Buggy Web App)

hashtag12. SecApps Labs