RatCTF
New Series

Exposed API

Five REST API endpoints with broken access controls. IDOR, mass assignment, JWT forgery, BFLA, and SSRF — the API security top five, each running in a live target you can actually attack.

IDOR / BOLA Mass Assignment JWT Attacks BFLA SSRF
5 Machines
Free No Paywall
API Sec Focus
0/5 Online Now

The Machines

Five endpoints. Five broken access controls. All live.

Machine 01 Offline
API Users
IDOR / BOLA

GET /api/v1/users/<id> returns full user objects with no ownership check. User id=2 is admin and the response includes ssh_password. Increment the ID.

🐀🐀 Easy
○ User ○ Root
Start →
Machine 02 Offline
API Profile
Mass Assignment

PUT /api/v1/profile accepts any field in the JSON body, including role. Set role=admin and the response unlocks admin SSH credentials. No server-side filtering.

🐀🐀 Easy
○ User ○ Root
Start →
Machine 03 Offline
API Auth
JWT Attacks

HS256 with secret=secret, plus alg:none accepted. Crack the weak secret or strip the signature entirely to forge an admin JWT and access protected endpoints.

🐀🐀🐀 Medium
○ User ○ Root
Start →
Machine 04 Offline
API Admin
BFLA

Admin endpoint returns 403 normally. Adding X-Internal-Request:true bypasses the auth check entirely. One header, full admin access. Check your request headers.

🐀🐀🐀 Medium
○ User ○ Root
Start →
☠ Series Finale
Machine 05 Offline
API Fetch
SSRF

POST /api/v1/fetch fetches any URL server-side. Point it at localhost:8080/internal/dump — that endpoint returns the SSH private key. Classic SSRF data exfil.

🐀🐀🐀🐀 Hard
○ User ○ Root
Start →

Attack Chain

Recommended order of attack.

Start Here
Machine 01
API Users
IDOR
Machine 02
API Profile
Mass Assign
Machine 03
API Auth
JWT
Machine 04
API Admin
BFLA
Machine 05
API Fetch
SSRF

Ready to own the API?

Five broken access controls. Five real bounty-class bugs. OWASP API Top 10 in one series.

Create Free Account Browse All Challenges →

Launching 11 July 2026 — API security series covering OWASP API Top 10 attack patterns.