API-Based XSS: Persisted XSS via API Calls in OWASP Juice Shop
Learn how to perform a persisted XSS attack by interacting directly with the OWASP Juice Shop API.

Lab overview
Web applications often expose backend APIs for client-server communication. These APIs can be a critical attack vector if they lack proper validation or sanitization. In this lab, you will exploit a vulnerability in the OWASP Juice Shop’s product API to perform a persisted Cross-Site Scripting (XSS) attack.
This lab demonstrates:
- How to interact directly with an application’s API without using the frontend.
- How improper input validation in APIs can lead to persisted XSS vulnerabilities.
- The impact of persisted XSS attacks on web application functionality.
Objectives
Upon completing this lab, you will:
- Learn to identify and exploit API vulnerabilities for XSS attacks.
- Understand the risks of improper input validation in backend APIs.
- Recognize the dangers of bypassing frontend controls to manipulate server data directly.
Who is this lab for?
This lab is designed for:
- Developers looking to secure their APIs against XSS vulnerabilities.
- Security professionals seeking to understand XSS exploitation via APIs.
- Learners exploring advanced web application attack techniques.
Verified against your live environment
An automated validation engine inspects your actual resources and configurations as you work. Completion means the task was performed — not multiple choice, real-world proficiency.
More labs like this
Persisted XSS via HTTP Header in OWASP Juice Shop
Learn persisted XSS via HTTP Header by finding and exploiting a vulnerability in OWASP Juice Shop.
Performing Cross-Site Scripting (XSS) Attacks using OWASP Juice Shop
Perform XSS attacks on OWASP Juice Shop to learn how to prevent XSS attacks in your applications in this hands-on lab.
Union-Based SQL Injection: Logging in with a Temporary User in OWASP Juice Shop
Learn about Union-Based SQL Injection by solving the Ephemeral Accountant challenge in OWASP Juice Shop.
Related reading
Environment
Every lab includes
- Real environment, pre-credentialed
- Automated checks on every step
- Isolated sandbox, auto cleanup
- AI-recommended next steps
Lab curriculum
- 01
Understanding API-Based XSS
- 02
Performing Persisted XSS Attack via API
1 automated check
- 03
Mitigation and Takeaways
Skills validated
Not the lab you were looking for?
Browse 150+ hands-on labs across AWS, Azure, Kubernetes, Docker, and cloud security.