Vulnerable Test API

Endpoints (all are intentionally vulnerable):

• /health
• /debug — env + memory dump (info disclosure)
• /auth-info — auth metadata
• /users — dumps all users (excessive data)
• /users/1 — BOLA / IDOR
• /users/2
• /search?q=test — reflected XSS + SQLi
• /echo?msg=hello — reflection
• /fetch?url=... — SSRF
• /products — list
• /products/1 — IDOR
• /orders/1 — BOLA
• /admin/stats — BFLA (no auth)
• /files?name=... — path traversal
• /protected — JWT none alg
• /api — API index
• /cookie-test — sets insecure cookies (cookie_security finding)
• /leaked — exposed credentials (info_disclosure finding)