I Took a Hacking Course So I Decided to Hack
API SecurityCourse: APISEC UNI API Pentesting • Target: VAPI (Vulnerable API) • Result: OWASP Top 10 conquered
I took the APISEC UNI course on API Pentesting and hacking and lowkey i kinda feel Pentests and hacking, not much difference to be honest but yeah, yeah lets be real with ourselves. VAPI (The intentionally vulnerable API) is a very horrible and ugly way to design API for people to learn from to be honest, because what in Gods green earth is that thing i just hacked but yeah i hacked it and according to OWASP top 10, I'm sorta a badass you know?
API 1: IDOR & Parameter Manipulation
Insecure Direct Object Reference
First thing i hacked was API 1 and you know fingering (shhhhh) an API without clear ideas on what the API is supposed to do is sorta damning but yeah I did it either way. I dont like complaints because I'm just badass, I created a sweet user by the way.
Pretty basic you'll guess correct? But no it isnt because after creating my user i realized, hey i can change the parameters present in the parameters being sent, so maybe try changing to other users, and just as you guessed, i was able to get every other user in the system. Heck it didnt even have some authentication.
Vulnerability: Insecure Direct Object Reference (IDOR) • Impact: Full user data exposure
API 2: Brute Force & Lack of Rate Limiting
Broken Authentication
I am supposed to Login but for some weird reason, i cant login because i dont have emails and a password. Good thing they left a list of shitty emails and password, a sweet brute force should do this if they lack rate limit, shall we check it out?
1000 requests later, it doesn't seem like they have anything stopping me from sending a million. Guess what this leads to? ATO via lack of rate limiting using brute forcing.
# Example brute force pattern
for password in password_list:
response = requests.post(login_url,
data={'email': target_email,
'password': password})
if response.status_code == 200:
print(f"Valid credentials: {password}")
Vulnerability: Broken Authentication • Impact: Account Takeover
API 3: Mobile App & PII Exposure
Data Exposure
It would look like we need an android device for this, but hey that doesn't stop us. Lets crank up a quick android emulator shall we?
I am pretty sure your device doesn't look this pretty, does it. Well we tried to sign up on the device and it was successful, but the application made me spot something unnatural. I send comments, but i can see not just my own comment but some of my PII, not just that but some other information of other users including their precise location, which is disturbing might i add.
Vulnerability: Excessive Data Exposure • Impact: PII and location leakage
API 4: OTP Brute Force
Broken Authentication
In here it feels like a basic and boring login endpoint? SIKE! We gotta deal with OTP verification. Good thing burpsuite lets me try to sniper attack brute force this bloody target.
Slight warning, you'll need burpsuite pro to help because community version is way too weak but yeah i think we aced that. Don't play with me friends.
# Burp Intruder payload for OTP brute force
0000
0001
0002
...
9999
Vulnerability: Weak OTP implementation • Impact: Bypass 2FA
API 5: Parameter Pollution
Broken Object Level Authorization
Damn I'm beginning to get bored, i need something thrilling pleaseee. Okay wait i think I've found it a "Create User" endpoint. Lets see what fun we can do. I mean yeah we can create basic users? Or maybe not, maybe if we added some parameters we can achieve something different.
A 200 response, of course you can verify but ill leave that up to you. Well maybe I'm not the best when it comes to hacking APIs but this definitely reminds me that im no easy catch.
Vulnerability: Parameter Tampering • Impact: Privilege escalation
API 6: Internal Server Error Exploitation
Security Misconfiguration
We gotta create a new user, honestly i am tired of creating new users but hey lets create another shall we. Well we already created a regular account but lets see if theres anything interesting about it.
First switch the header to GET with the parameters we have and lets see what we have. Well we didnt get anything in all honesty just some internal server error. Okay enough suspense, maybe we tweaked the parameter in the account creation section.
Vulnerability: Information Disclosure • Impact: System information leakage
API 7: CORS Misconfiguration
Security Misconfiguration
So lets create a new user on this API endpoint real quick. We also gotta login to the app, but wait, something smells fishy here. Like why is the CORS header screaming "Access-Control-Allow-Origin: *" and still allowing credentials? That's straight-up begging for trouble, right?
So I fired up Burp again, added a fake Origin header like I'm some shady third-party site, and BAM—sent the login request. Guess what? It spat back the full user deets: ID, username, password, authkey, the works! No questions asked, just because the origin was wild-carded.
Vulnerability: CORS Misconfiguration • Impact: Cross-origin data theft
API 8: SQL Injection
Injection
Okay, login endpoint? Boring, but let's poke it with some SQL spice. I threw in a classic "' OR 1-- " into the username in Postman, proxied through Burp, and hit Intruder on sniper mode with a bunch of SQL payloads.
Most gave 403, but one? Boom, 500 error with a MySQL syntax freakout—jackpot, unsanitized inputs confirmed! Time to escalate, pulled out sqlmap like a boss: enumerated the DBs, found "vapi", tables like "a_p_i8_users", columns for password, secret, username.
sqlmap -u "http://vapi/api8/login" --data="username=admin&password=test"
--dbs --tables -D vapi -T a_p_i8_users --dump
Vulnerability: SQL Injection • Impact: Full database compromise
API 9: Improper Assets Management
Version Exposure
This one's got v2 with rate limits (boo), but I sniffed around and spotted a /v1/ path hiding in the shadows—no limits there! Switched the URL in Burp Repeater to /vapi/api9/v1/user/login, crunched up a numbers.txt for PIN brute (0000-9999), and FFUF'd it.
ffuf -w numbers.txt -X POST \
-H "Content-Type: application/json" \
-d '{"username":"richardbranson","pin":"FUZZ"}' \
-u http://vapi/api9/v1/user/login
Vulnerability: Improper Assets Management • Impact: Bypass security controls
API 10: Insufficient Logging & Monitoring
Missing Monitoring
Boredom strikes again, but wait—"Get Flag" endpoint? Just POST to it in Postman, no fuss, no muss. Grabs the flag straight up. No vuln to exploit, just... there.
Insufficient logging means no one's watching, no alerts, pure stealth access. OWASP nailed it—monitoring is key, or else flags (and real secrets) walk right out the door!
Vulnerability: Insufficient Logging & Monitoring • Impact: Undetected data access
Bonus APIs: The Extra Mile
Advanced Techniques
The walkthrough threw in three extras:
- API 11: Undocumented endpoint guessing for hidden admin funcs—fuzzed paths in Burp till /admin/secret dumped the goods
- API 12: XML bomb DoS via external entity—parsed a massive XML payload to crash the parser
- API 13: API chaining abuse, linking vulns from prior APIs into a full account takeover chain
Each spat flags like candy. Felt like leveling up in a video game, OWASP bonuses making me feel invincible!
Wrapping This Hackfest
Whew, from IDOR noobs to SQL dumps and CORS clowning, VAPI turned me into a API-slaying machine. Course paid off—pentesting feels like ethical hacking with extra steps, but damn, the rush is real.
If you're dipping toes, grab Docker, Burp, and go wild (legally, obvs). OWASP Top 10? Conquered. Badass level: Expert. Who's next? Drop your vulns, I'm ready! 🚀
