# API testing

- [Lab #1: Exploiting an API endpoint using documentation](/web/api-testing/lab-1-exploiting-an-api-endpoint-using-documentation.md): https://portswigger.net/web-security/api-testing/lab-exploiting-api-endpoint-using-documentation
- [Lab #2: Exploiting server-side parameter pollution in a query string](/web/api-testing/lab-2-exploiting-server-side-parameter-pollution-in-a-query-string.md)
- [Lab #3: Finding and exploiting an unused API endpoint](/web/api-testing/lab-3-finding-and-exploiting-an-unused-api-endpoint.md): https://portswigger.net/web-security/api-testing/lab-exploiting-unused-api-endpoint
- [Lab #4: Exploiting a mass assignment vulnerability](/web/api-testing/lab-4-exploiting-a-mass-assignment-vulnerability.md): https://portswigger.net/web-security/api-testing/lab-exploiting-mass-assignment-vulnerability
- [Lab #5: Exploiting server-side parameter pollution in a REST URL](/web/api-testing/lab-5-exploiting-server-side-parameter-pollution-in-a-rest-url.md): https://portswigger.net/web-security/api-testing/server-side-parameter-pollution/lab-exploiting-server-side-parameter-pollution-in-rest-url