Exploiting Hidden Vulnerabilities: Null Byte Injection and API Tampering in OWASP Juice Shop
Learn to exploit hidden vulnerabilities using Poison Null Byte Injection and API request tampering to uncover secrets and manipulate data in OWASP Juice Shop.

Lab overview
Web applications often have hidden vulnerabilities that can be exploited through unexpected inputs or by manipulating API requests. These weaknesses can allow attackers to bypass restrictions, access hidden functionalities, or tamper with data.
In this lab, you will explore two critical vulnerabilities:
- Poison Null Byte Injection: You will learn how a null byte can bypass input validation, enabling you to uncover hidden functionalities, such as finding a hidden Easter egg in the application.
- HTTP Request Tampering: By manipulating PUT requests, you will exploit weak access controls to tamper with product descriptions, changing data on the server.
Both challenges highlight the importance of proper input validation and secure API design in web applications.
Objectives
Upon completion of this lab, you will be able to:
- Understand and exploit Poison Null Byte Injection to bypass application restrictions.
- Manipulate HTTP requests to exploit weak access controls and tamper with data.
- Analyze web application vulnerabilities using browser developer tools.
Who is this lab for?
This lab is designed for:
- Security enthusiasts looking to explore hidden application vulnerabilities.
- Developers who want to understand how improper input validation can be exploited.
- Penetration testers and IT professionals learning about API manipulation and injection attacks.
Verified against your live environment
An automated validation engine inspects your actual resources and configurations as you work. Completion means the task was performed — not multiple choice, real-world proficiency.
More labs like this
CSP Bypass: Exploiting Content Security Policy Vulnerabilities in OWASP Juice Shop
Learn how to bypass Content Security Policies (CSP) to execute XSS attacks by exploiting weaknesses in the OWASP Juice Shop profile page.
API-Based XSS: Persisted XSS via API Calls in OWASP Juice Shop
Learn how to perform a persisted XSS attack by interacting directly with the OWASP Juice Shop API.
Advanced NoSQL Injection: Updating Multiple Product Reviews in OWASP Juice Shop
Learn how to exploit NoSQL Injection to update multiple product reviews in OWASP Juice Shop.
Related reading
Environment
Every lab includes
- Real environment, pre-credentialed
- Automated checks on every step
- Isolated sandbox, auto cleanup
- AI-recommended next steps
Lab curriculum
- 01
What is Poison Null Byte Injection?
- 02
Finding the Hidden Easter Egg
1 automated check
- 03
Manipulating Product Details via API Tempering
1 automated check
- 04
Mitigation and Takeaways
Not the lab you were looking for?
Browse 150+ hands-on labs across AWS, Azure, Kubernetes, Docker, and cloud security.