TiredFul API is a web app intentionally developed to be insecure. The purpose of the app to teach developers, QA or security professionals about flaws present in webservices (REST API) due to insecure coding practice. Following are the scenarios implemented.
All the APIs are accessed over HTTP. All the requests to the APIs should have ACCEPT header.
All the requests to the APIs using HTTP POST method should have Content-Type header.
Some of the challenges require authentication under an account with appropriate access. For accessing login protected data user needs to provide an access key. Process to obtain the access key is provided in User Token section of the web application.