OWASP API Security Top 10–2

4 min readFeb 25, 2024

TL;DR Walkthrough of TryHackMe’s OWASP API Security Top 10 Part 2 room.

A full list of our TryHackMe walkthroughs and cheatsheets is here.


For some reason known only to God, THM decided to require NLA on some of their VMs as of 23 Feb 2024. This caused me to get weird errors attempting to connect via xfreerdp or rdesktop from my Kali VM.

After a bit of Googling and getting nowhere in Kali I simply dropped THM’s *.ovpn file into


on my Windows 10 Pro host OS on my refurbished Dell Latitude 5580 laptop. Once I did this I was able to RDP into THM’s VM successfully.

That was actually the most complicated part of this room. The rest was really straightforward. All I did was copy/paste and then tweak the same Invoke-WebRequest GET and POST requests I used in the OWASP Top 10 Part I room. More practice is always good.

— — Task 1 — -

xfreerdp /v: /p:Administrator /p:Owasp@123 /dynamic-resolution

rdesktop -u Administrator -p Owasp@123 -f

If neither of those works for you due to NLA then from Windows

mstsc /v:

— — Task 2 — -

Is it a good practice to blindly insert/update user-provided data in the database (yea/nay)?


Using /apirule6/user_s, insert a record in the database using the credit value as 1000.

No answer needed

What would be the returned credit value after performing Question#2?


$postParams = @{name="Bob";username="bob_mht";password="#ge*byA@35U6";credit="1000"}
$headerParams = @{"Content-Type"="application/x-www-form-urlencoded"}
$Result = Invoke-WebRequest -Uri "http://localhost:80/MHT/apirule6/user_s" -Method Post -Body $postParams -Headers $headerParams
If($Result.Content -ne "$null")

— — Task 3 — -

Is it an excellent approach to show error logs from the stack trace to general visitors (yea/nay)?


Try to use the API call /apirule7/ping_s in the attached VM.

No answer needed

What is the HTTP response code?


What is the Error ID number in the HTTP response message?


$Result = Invoke-WebRequest -Uri "http://localhost:80/MHT/apirule7/ping_s" -Method Get

As one will notice in the screenshot below, I did not get a 500 in response, I continued to get a 200 and error details. THM may have screwed up their API.

— — Task 4 — -

Can injection attacks be carried out to extract data from the database (yea/nay)?


Can injection attacks result in remote code execution (yea/nay)?


What is the HTTP response code if a user enters an invalid username or password?


Note that we still get a 200 response following the 403 though:


I ran the one a couple times trying the SQL injection technique, even putting “Invalid” as the password. I still got a 200 StatusCode and an authkey in the response. I think THM might have screwed up their API.

$postParams = @{password="Invalid";username="admin"}
$Result = Invoke-WebRequest -Uri "http://localhost:80/MHT/apirule8/user/login_v" -Method Post -Body $postParams
#$postParams = @{password="' OR 1=1 --'";username="admin"}

— — Task 5 — -

Is it good practice to host all APIs on the same server (yea/nay)?


Make an API call to /apirule9/v1/user/login using the username “Alice” and password “##!@#!!”.

No answer needed

What is the amount of balance associated with user Alice?


What is the country of the user Alice?


$postParams = @{username="alice";password="##!@#!!"}
$Result = Invoke-WebRequest -Uri "http://localhost:80/MHT/apirule9/v1/user/login" -Method Post -Body $postParams

— — Task 6 — -

Should the API logs be publically accessible so that the attacker must know they are being logged (yea/nay)?


What is the HTTP response code in case of successful logging of user information?


$Result = Invoke-WebRequest -Uri "http://localhost:80/MHT/apirule10/logging" -Method Get

— — Task 7 — -

No answer needed


Overall this room was really just more practice on the same techniques used in Part I.

However the point is important:

  • Webapps are by definition public facing.
  • An attacker can send that webapp any input they want, regardless of what form the webpage presents the casual user.
  • Attackers will find any directories or legacy webapps that are still accessible if you forget about them.

Therefore server side input validation is a best practice.


Invoke-WebRequest POST with parameters: https://stackoverflow.com/questions/17325293/invoke-webrequest-post-with-parameters

Invoke-WebRequest: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4




I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.