Interactive API security lab. Six scenarios cover JWT algorithm confusion (RS256/HS256), OAuth redirect_uri startsWith bypasses, mass assignment / overposting via spread operators, rate-limit bypasses through X-Forwarded-For spoofing, CORS wildcard + credentials misconfigurations, and webhook signature timing side-channels.