Skip to content
/ learn-api-testing Public

Learn API Hacking - Tarkash is a vulnerable Flask-based API lab for learning and practicing real-world security flaws like JWT, SQLi, XSS, IDOR and more.

tarkash.surapura.in
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ikajakam/learn-api-testing

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

63 Commits
templates
templates
 
 
README.md
README.md
 
 
app_formsubmit.py
app_formsubmit.py
 
 
favicon.ico
favicon.ico
 
 
init_db.py
init_db.py
 
 
quotes.py
quotes.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

API Playground - Practice JWT, SQLi, XSS & IDOR

This is a deliberately vulnerable app built for learning.

A hands-on API hacking lab built with Python & Flask — learn and practice exploiting real-world bugs like XSS, SQLi, JWT abuse, IDOR, Authentication and more in one breakable app.

Start Breaking https://tarkash.surapura.in/

Made for Learning API Security Python CTF

XSS SQLi JWT IDOR Authentication File Upload

Explore

  • /api/register — Create a user account (safe).
  • /api/login — Auth via secure JWT (in-memory) and vulnerable SQL-based login.
  • /api/upload — Upload files with checks.
  • /api/form?id=0 — Interesting id=0 behavior (custom logic).
  • /api/form?id=X — Test IDOR & XSS via form viewer.
  • /view-form?id=X — Stored XSS rendered on page.

Get an Access Token (cURL Format)

Use these curl commands in your terminal to register and login :

Register a new user

curl -X POST https://tarkash.surapura.in/api/register \\
     -H "Content-Type: application/json" \\
     -d '{"username": "masino", "password": "tamburo"}'

Login

curl -X POST https://tarkash.surapura.in/api/login \\
     -H "Content-Type: application/json" \\
     -d '{"username": "masino", "password": "tamburo"}'

The response will look like:

  {"token":"your-jwt-token"}
  • Save the token. Use it as a Bearer token for all other requests.

Submit a Form (Find the special id=0 flag!)

curl -X PUT "https://tarkash.surapura.in/api/form?id=0" \\
     -H "Authorization: Bearer YOUR_JWT_TOKEN_HERE" \\
     -H "Content-Type: application/json" \\
     -d '{"username":"masino","name":"tamburo","email":"bhootnike","message":"<img src=\"x\" onerror=\"alert(1)\">"}'
  • Explore and tamper with id=0. Understand response logic, bypasses, and constraints

File Upload Endpoint

curl -X POST "https://tarkash.surapura.in/api/upload" \\
     -H "Content-Type: application/json" \\
     -H "Authorization: Bearer YOUR_JWT_TOKEN_HERE" \\
     -F "file=@/path/to/your/file.jpg"
  • /uploads/yourfile.jpg

Change other user’s password (admin as well)

Let’s say masino is user ID 8 :

curl -X POST "https://tarkash.surapura.in/api/change-password \
  -H "Authorization: Bearer YOUR_JWT_TOKEN_HERE" \
  -H "Content-Type: application/json" \
  -d '{"user_id": 8, "new_password": "pwned-masino123"}'
  • also you can try to guess admin's pass and login

Proxy with Burp

Intercept, inspect and replay API calls from WSL or Kali through Burp Suite.

curl --proxy http://172.26.16.1:8080 -X POST https://tarkash.surapura.in/api/register \
  -H "Content-Type: application/json" \
  -d '{"username": "attacker", "password": "password123"}'

Make sure to :

  • Add a new proxy listener :
  • WSL IP or KALI VM IP
  • Use port 8080 (or another as configured) image image

Trust Burp CA in WSL or Kali (for HTTPS)

Export cert from Burp in .DER format

  • Go to: Burp > Proxy > Proxy settings > Import / Export CA
  • Export as .DER format

Convert DER to CRT

openssl x509 -inform DER -in ~/<cert file name> -out ~/burp.crt

Copy to system trusted certs

sudo cp ~/burp.crt /usr/local/share/ca-certificates/

Update trusted certs

sudo update-ca-certificates

Once done, curl and other CLI tools will trust Burp for HTTPS interception.

Practice Flow

  • Step 1: Register at https://tarkash.surapura.in/api/register with a JSON body like {"username": "test", "password": "pass"}
  • Step 2: Login via /api/login and receive your JWT token
  • Step 3: Submit a form with a message field to /api/form
  • Step 4: View / Edit submitted forms via /api/form?id=1 and exploit IDOR and stored XSS
  • Step 5: Visit /view-form?id=1 to render and trigger your payload (stored XSS)
POP that XSS
Submit form with id=0

HOW TO RUN

Setup Virtual Environment

python3 -m venv venv
source venv/bin/activate

Install Requirements

pip install flask pyjwt werkzeug pytz

Run the Server

python3 app_formsubmit.py
nohup python3 app_formsubmit.py &

By default, the app runs on: http://127.0.0.1:5000

  • uploads/ folder will be created automatically
  • Logs are saved to app.log
  • Request Logs - Every request is logged with IP, method, headers, etc.
  • Ensure write access to working directory
  • pkill python to stop app

will update more vulnerable routes - suggestions are welcome

About

Learn API Hacking - Tarkash is a vulnerable Flask-based API lab for learning and practicing real-world security flaws like JWT, SQLi, XSS, IDOR and more.

tarkash.surapura.in

Topics

api jwt xss sqli pentesting ctf bugbounty bac idor api-lab

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages