API Security — Advanced Vocabulary

Tip: API security vulnerabilities top the OWASP API Top 10 — understanding them helps you both build and audit APIs.

0 / 5 completed

Exercise 1 of 5

The security engineer says: 'Our mobile app uses PKCE — it generates a code verifier and sends only a code challenge in the authorization request, preventing interception attacks.'

What attack does PKCE (Proof Key for Code Exchange) primarily defend against?

Exercise 2 of 5

The API review flags: 'This endpoint returns the full user object including SSN and salary — but the mobile app only needs name and avatar.'

What OWASP API vulnerability does this describe?

Exercise 3 of 5

The attacker forges a JWT by changing the algorithm header to 'none' — and the server accepts it without verifying a signature.

What JWT vulnerability is being exploited?

Exercise 4 of 5

The engineer implements rate limiting: '100 requests per minute per API key — if exceeded, return 429 Too Many Requests with a Retry-After header.'

What threat does API rate limiting primarily mitigate?

Exercise 5 of 5

The code review finds: 'This PATCH endpoint accepts any field the user sends — including the role field. A user could promote themselves to admin.'

What vulnerability is this?