This project intentionally contains vulnerabilities mapped to OWASP API Security Top 10 (2023) so students can identify and fix them.
# Java 17 + Maven required
mvn spring-boot:run
# H2 Console: http://localhost:8080/h2-console (JDBC URL: jdbc:h2:mem:apilab)alice / alice123(USER)bob / bob123(ADMIN)
Login to get a JWT:
curl -s -X POST http://localhost:8080/api/auth/login -H 'Content-Type: application/json' -d '{"username":"alice","password":"alice123"}'
# => {"token":"<JWT>"}Use the token:
export T="<JWT>"
curl -H "Authorization: Bearer $T" http://localhost:8080/api/accounts/mine- API1: Broken Object Level Authorization (BOLA/IDOR)
- API2: Broken Authentication
- API3: Excessive Data Exposure
- API4: Unrestricted Resource Consumption
- API5: Broken Function Level Authorization
- API6: Mass Assignment
- API7: Security Misconfiguration
- API8: Weak Authentication / JWT issues
- API9: Improper Inventory / Injection-like search
- API10: Unsafe Consumption of APIs (discussion prompt)
- Replace plaintext passwords with BCrypt; add signup flow and migrate existing seeds.
- Tighten
SecurityFilterChain: removepermitAllon/api/**, require auth; enforce role checks. - In controllers, enforce ownership: user can only access their own resources (map subject -> userId).
- Implement DTOs to control data exposure; never return password, role, or admin flags.
- Add rate limiting (Bucket4j/Resilience4j) to sensitive endpoints.
- Prevent Mass Assignment: use explicit request DTOs without
role,isAdminor validate them server-side. - Harden JWT: strong key from env, short TTL, add issuer/audience, validate signature & expiry strictly.
- Reduce error detail in production; proper exception mapping and logging.
- Add input validation; reject negative or huge transfers.
- Add integration tests to capture fixed behavior.
- Keep a list of fixes and submit a PR describing how each vulnerability was addressed.