Skip to content
An intentionally designed broken web application based on REST API.
Python CSS HTML JavaScript Dockerfile
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
Tiredful-API Undefined name serializer issue fixed. Closed #6 Dec 7, 2017
Dockerfile Added a Dockerfile and updated the README file. Dec 1, 2017
LICENSE Create LICENSE Nov 29, 2017 Link to updated repository Aug 31, 2019
Tiredful-API.jpg Intro updated Nov 23, 2017
requirements.txt First code commit Nov 23, 2017

What is Tiredful API?

Tiredful API is intentionally designed broken app. The aim of this web app is to teach developers, QA or security professionals about flaws present in webservices (REST API) due to insecure coding practice.

Tiredful API image

Who can use Tiredful API?

  • Web developers
  • Web Pentesters
  • Security Professionals
  • Student

What is included in Tiredful API?

I tried to cover most of the vulnerabilities, I am sure that we have missed some vulnerabilities.Please ping me if you know any good vulnerability that should be included. For now I have included following vulnerabilities.

  • Information Disclosure
  • Insecure Direct Object Reference
  • Access Control
  • Throttling
  • SQL Injection (SQLite)
  • Cross Site Scripting.

You can see solution here

Can I contribute?

Yes, you can help by sending us the details of vulnerabilities that we can implement in future versions of Tiredful API. Please mail us at info[at] with subject "Tiredful API Scenario".

Where can I get Tiredful API?

Source can be downloaded from link.

How to run Tiredful API?

Tiredful API is developed using Django Framework and Django Rest Framework, so for running the web server user needs execute following command.

  • Navigate to the source folder and locate file.
  • Then execute python runserver.
  • If static files are not getting load, then execute above command with insecure flag i.e. python runserver --insecure If you are facing any issue starting the web server please refer django documentation admin or django documentation tutorial. Please ping me if you are still not able to run development server.

Note: It is recommended to use required libraries with the version specified in the requirements.txt. Please refer this more details

Docker Container

You can run Tiredful via Docker. Simply execute:

docker build -t tiredful .
docker run -p 8000:8000 --name tiredful -it tiredful

Browse to http://localhost:8000/ and you are all set. Use CTRL-C to shut down the server.

Added new JWT based scenarios. Updated repository available at repo

Feedback and Bug Reports.

We would love to hear from you about your experience with Tiredful API. Please send us an email on info [at] payatu [dot] com or siddharth [dot] bezalwar [at] gmail [dot] com with Subject "Tiredful API Issue" based on what you want to share. Please include the below in your email.

  • Operating system with version.
  • Django Framework used.
  • Steps to replicate issue.


Siddharth Bezalwar

@fattu_medjai | siddharth [dot] bezalwar [at] gmail [dot] com

About Payatu

Payatu is a boutique security testing company with specialization in:

  • IoT Security
  • Mobile Security
  • Cloud security
  • Web Security We also organize two International Security Conferences

nullcon International Security Conference - Hardware Security Conference - Website: Email: info (at) payatu dot com

You can’t perform that action at this time.