Open Worldwide Application Security Project (OWASP) is a non-profit and collaborative online community that aims to improve application security via a set of security principles, articles, documentation etc. Back in 2019, OWASP released a list of the top 10 API vulnerabilities, which will be discussed in detail, along with its potential impact and a few effective mitigation measures.

We have split this room into two parts. In Part 1, you will study the top 5 principles, and in Part 2, you will learn the remaining principles.

Learning Objectives

• Best practices for API authorisation & authentication
• Identification of authorisation level issues
• Handling excessive data exposure
• Lack of resources and rate-limiting issues

Learning Pre-requisites An understanding of the following topics is recommended before starting the room:

• How websites work
• HTTP protocols & methods
• Principles of security
• OWASP Top 10 (2025) module

Connecting to the Machine We will be using Windows as a development/test machine along with Talend API Tester — free edition throughout the room with the following credentials:

• Machine IP: MACHINE_IP
• Username: Administrator
• Password: Owasp@123

You can start the virtual machine by clicking Start Machine. The machine will start in a split-screen view. In case the VM is not visible, use the blue Show Split View button at the top-right of the page. Alternatively, you can connect with the VM through Remote Desktop using the above credentials. Please wait 1-2 minutes after the system boots completely to let the auto scripts run successfully that will execute Talend API Tester and Laravel-based web application automatically.

Answer the questions below

• In the LinkedIn breach (Jun 2021), how many million records (sample) were posted by a hacker on the dark web?

1

• Is the API documentation a trivial item and not used after API development (yea/nay)?

nay

• Suppose the employee ID is an integer with incrementing value. Can you check through the vulnerable API endpoint the total number of employees in the company?

3

• What is the flag associated with employee ID 2?

THM{838123}

• What is the username of employee ID 3?

Bob

• What is the username of employee ID 3?

cOC%Aonyis%H)mZ&uJkuI?_W#4&m>Y

• To which country does sales@mht.com belong?

China

• Is it a good practice to send a username and password in a GET request (yea/nay)?

nay

• What is the device ID value for post-ID 2?

iOS15.411

• What is the username value for post-ID 3?

hacker#!

• Should we use network-level devices for controlling excessive data exposure instead of managing it through APIs (programmatically) — (yea/nay)?

nay

• Can rate limiting be carried out at the network level through firewall etc. (yea/nay)?

yea

• What is the HTTP response code when you send a POST request to /apirule4/sendOTP_s using the email address hr@mht.com?

200

• What is the "msg key" value after an HTTP POST request to /apirule4/sendOTP_s using the email address sale@mht.com?

Invalid Email

• What is the mobile number for the username Alice?

+1235322323

• Is it a good practice to send isAdmin value through the hidden fields in form requests — yea/nay?

nay

• What is the address flag of username admin?

THM{3432$@#2!}

CONCLUSION

That's all for this room. In this room, we have studied the basic API development principles for Authorisation and Authentication and how excessive data exposure can lead to a complete account takeover.

Now, we will see you in Part 2 of this room, where we will go through the remaining five principles of OWASP API security.

Answer the questions below

I have completed the room (Part 1).