Free API for Security Testing Practice
Practice the OWASP API Security Top 10 against a public sandbox you are explicitly allowed to attack. Real JWT, real OAuth2, real role boundaries — and intentional rough edges to discover.
What you can practice
| OWASP API risk | Try this |
|---|---|
| API1: BOLA / IDOR | Get user A's token → fetch user B's record by ID |
| API2: Broken authentication | Replay an expired JWT; tamper with the payload; remove the signature |
| API3: Excessive data exposure | Compare list-endpoint fields to detail-endpoint fields |
| API5: Broken function-level auth | Call admin endpoints with a user-scope token — expect 403 |
| API6: Mass assignment | POST /users with { "isAdmin": true } — does it stick? |
| API8: Injection | Try SQL/NoSQL payloads in filters and search params |
| API10: Insufficient logging | Look for X-Request-Id echo in responses |
Authorization to test
You are authorised to perform automated security testing against demo.totalshiftleft.ai for educational purposes. No DDoS, no spam, no destructive load. Per-IP rate limits apply.
Tooling that pairs well
- Burp Suite — proxy your tooling through Burp for request manipulation
- OWASP ZAP — automated active scan from the OpenAPI spec at
/openapi.json - ffuf — fuzzing query parameters and header values
- Schemathesis — property-based fuzzing driven by the OpenAPI spec
- jwt_tool — JWT signature stripping, alg confusion, key confusion attacks
Quick wins to attempt
- Decode the JWT — does it use
alg: none? (it doesn't, but try forcing it) - Refresh-token rotation — does the old refresh token still work after rotation?
- Bulk endpoints — can you bypass authorisation by submitting many IDs at once?
- Verbose errors — does any 5xx response leak a stack trace or DB column name?
Disclosure
Found something interesting? Email security@totalshiftleft.ai — we credit reporters in the changelog.
Frequently asked questions
Is there a bug bounty?
No bounty, but contributors are credited and high-quality reports get a thank-you swag box.
Can I run automated scanners?
Yes, within the rate limit. Anything DDoS-shaped will be blocked at the firewall.
Other free public APIs in this sandbox
Ready to try it?
Open the live sandbox — REST, GraphQL, SOAP and auth in one place. No signup, no API key.
Open the API Sandbox →Topics: API security testing · OWASP API Top 10 sandbox · BOLA testing · broken auth testing · JWT security · free pentest API