Interactive Learning Lab

    Apyguard Playground

    Explore common API vulnerabilities, edit real-looking payloads, and compare vulnerable versus hardened responses without leaving the browser.

    OWASP API Focused
    Editable Payloads
    Simulated Responses
    OWASP API1:2023
    Critical
    Vulnerable mode

    Broken Object Level Authorization

    This shows what happens when an API lets someone read another user's data just by changing an ID.

    Mode

    Presets

    A user requests their own account record.

    Target endpoint

    GET /v1/accounts/details

    Use a JSON object.

    Roles and identity usually appear here.

    Try adding or removing fields.

    Response

    Cross-tenant probe

    Request preview

    What to look for
    Attack surface
    This shows what happens when an API lets someone read another user's data just by changing an ID.
    Impact
    A single predictable identifier can expose invoices, API keys, balances, or profile data from another customer.
    Defensive cues
    • Change `accountId` without changing `viewerAccountId`.
    • Switch to hardened mode to see the expected 403 behavior.
    • Look at how the response body changes when authorization is enforced server-side.
    Coverage in this playground
    Authorization failures
    BOLA and BFLA flows show what happens when route access is based on user input instead of backend policy.
    Unsafe object binding
    Mass assignment highlights why allowlisted fields are safer than binding full request bodies directly into models.
    Backend fetch abuse
    SSRF simulation demonstrates how internal metadata and private services become reachable through server-side integrations.