CodersSecret
API Security Lab

API Attack & Defense

Find the vulnerable endpoint before the attacker does. Each scenario drops you into a real API authentication or authorization flaw — JWT verification, OAuth flows, mass assignment, CORS — and asks you to spot the bug a code review missed.

6 scenarios~12 minutesHard
RUNHard

How the simulator works

  • Each scenario shows real API code or middleware configuration with a hidden authentication or authorization flaw.
  • Identify the issue from four plausible options — the wrong answers explain why they look tempting but aren't the bug.
  • Read the production explanation, follow the link to the relevant lesson, and move to the next scenario.
  • Score yourself across all six rounds — covering JWT verification, OAuth flows, mass assignment, rate limiting, CORS, and webhook signature verification.