API Security — Advanced Vocabulary
0 / 5 completed
Exercise 1 of 5
The security engineer says: 'Our mobile app uses PKCE — it generates a code verifier and sends only a code challenge in the authorization request, preventing interception attacks.'
What attack does PKCE (Proof Key for Code Exchange) primarily defend against?
PKCE prevents authorization code interception attacks — a malicious app that intercepts the auth code can't exchange it without the original code verifier.
Exercise 2 of 5
The API review flags: 'This endpoint returns the full user object including SSN and salary — but the mobile app only needs name and avatar.'
What OWASP API vulnerability does this describe?
Excessive data exposure (OWASP API #3) occurs when an API returns more data than the client needs, relying on the client to filter — exposing sensitive fields unnecessarily.
Exercise 3 of 5
The attacker forges a JWT by changing the algorithm header to 'none' — and the server accepts it without verifying a signature.
What JWT vulnerability is being exploited?
The alg:none attack exploits servers that accept unsigned JWTs when the algorithm header is set to 'none'. Libraries should explicitly reject this algorithm.
Exercise 4 of 5
The engineer implements rate limiting: '100 requests per minute per API key — if exceeded, return 429 Too Many Requests with a Retry-After header.'
What threat does API rate limiting primarily mitigate?
Rate limiting prevents brute force attacks (credential stuffing, OTP guessing) and protects server resources from abuse — the 429 status and Retry-After header guide compliant clients.
Exercise 5 of 5
The code review finds: 'This PATCH endpoint accepts any field the user sends — including the role field. A user could promote themselves to admin.'
What vulnerability is this?
Mass assignment occurs when an API binds all incoming request fields to model attributes without allowlisting — allowing attackers to set sensitive fields like role or balance.