diff --git a/app/lab/api-hacking/api-1/Indexupdatepassword.php b/app/lab/api-hacking/api-1/Indexupdatepassword.php
new file mode 100644
index 0000000..e6a0f6a
--- /dev/null
+++ b/app/lab/api-hacking/api-1/Indexupdatepassword.php
@@ -0,0 +1,26 @@
+<?php
+require("../../../lang/lang.php");
+$strings = tr();
+?>
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title><?php echo $strings["updatePassword"] ?></title>
+    <link rel="stylesheet" href="style.css">
+    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-T3c6CoIi6uLrA9TneNEoa7RxnatzjcDSCmG1MXxSR1GAsXEV/Dwwykc2MPK8M2HN" crossorigin="anonymous">
+</head>
+<body>
+<div class="container" style="width: 500px; margin: 10% auto;">
+        <h2><?php echo $strings["updatePassword"] ?></h2>
+        <p><?php echo $strings["enterNewPassword"] ?></p>
+        <form action="updatepassword.php" method="POST">
+        <input type="hidden" name="username" value="<?php echo isset($_REQUEST['username']) ? $_REQUEST['username'] : 'default_username'; ?>">
+            <input type="text" name="newpassword" required><br>
+            <button type="submit"><?php echo $strings["updatePassword"] ?></button>
+        </form>
+    </div>
+    <script id="VLBar" title="<?= $strings["title"]; ?>" category-id="13" src="/public/assets/js/vlnav.min.js"></script>
+</body>
+</html>
diff --git a/app/lab/api-hacking/api-1/adminindex.php b/app/lab/api-hacking/api-1/adminindex.php
new file mode 100644
index 0000000..c086556
--- /dev/null
+++ b/app/lab/api-hacking/api-1/adminindex.php
@@ -0,0 +1,30 @@
+<?php
+require("../../../lang/lang.php");
+$strings = tr();
+?>
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title><?php echo $strings["adminAccount"] ?></title>
+    <link rel="stylesheet" href="style.css">
+    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-T3c6CoIi6uLrA9TneNEoa7RxnatzjcDSCmG1MXxSR1GAsXEV/Dwwykc2MPK8M2HN" crossorigin="anonymous">
+</head>
+<body>
+<div class="container" style="width: 500px; margin: 10% auto;">
+        <h2><?php echo $strings["adminAccount"] ?></h2>
+        <p><?php echo $strings["adminLogin"] ?></p>
+        <p><?php echo $strings["welcomeSystem"] ?></p>
+        <div class="update-password">
+            <form action="Indexupdatepassword.php" method="POST">
+            <input type="hidden" name="username" value="admin">
+                <button type="submit"><?php echo $strings["updatePassword"] ?></button>
+            </form>
+            <a href="index.php" class="btn mt-3" style="background-color: #f00c3d;color: white; width:250px;"><?php echo $strings["logOut"] ?></a>
+        </div>
+    </div>
+    <script id="VLBar" title="<?= $strings["title"]; ?>" category-id="13" src="/public/assets/js/vlnav.min.js"></script>
+</body>
+</html>
+
diff --git a/app/lab/api-hacking/api-1/api.php b/app/lab/api-hacking/api-1/api.php
new file mode 100644
index 0000000..052958e
--- /dev/null
+++ b/app/lab/api-hacking/api-1/api.php
@@ -0,0 +1,67 @@
+<?php
+function readData() {
+    $data = file_get_contents('main1.json');
+    return json_decode($data, true);
+}
+
+function writeData($data) {
+    $jsonData = json_encode($data, JSON_PRETTY_PRINT);
+    file_put_contents('main1.json', $jsonData);
+}
+
+$method = $_SERVER['REQUEST_METHOD'];
+
+// GET
+if ($method === 'GET') {
+    $users = readData();
+    if ($users) {
+        echo json_encode($users);
+    } else {
+        echo "Kullanıcı bulunamadı.";
+    }
+}
+
+
+
+// POST
+if ($method === 'POST') {
+    parse_str(file_get_contents("php://input"), $data);
+    $username = $data['username'];
+    $newPassword = $data['newpassword'];
+    $users = readData();
+    $userFound = false;
+    foreach ($users as &$user) {
+        if ($user['username'] === $username) {
+            $user['password'] = $newPassword;
+            $userFound = true;
+            break;
+        }
+    }
+    if ($userFound) {
+        writeData($users);
+        header("Location: userFound.php");
+    } else {
+        echo "Kullanıcı bulunamadı. Kullanıcı adı: $username";
+    }
+}
+
+// DELETE
+if ($method === 'DELETE') {
+    parse_str(file_get_contents("php://input"), $data);
+    $username = $data['username'];
+    $users = readData();
+    $userFound = false;
+    foreach ($users as $key => $user) {
+        if ($user['username'] === $username) {
+            unset($users[$key]);
+            $userFound = true;
+            break;
+        }
+    }
+    if ($userFound) {
+        writeData($users);
+        echo "Kullanıcı başarıyla silindi.";
+    } else {
+        echo "Kullanıcı bulunamadı. Kullanıcı adı: $username";
+    }
+}
diff --git a/app/lab/api-hacking/api-1/en.ini b/app/lab/api-hacking/api-1/en.ini
new file mode 100644
index 0000000..2a5d101
--- /dev/null
+++ b/app/lab/api-hacking/api-1/en.ini
@@ -0,0 +1,17 @@
+title="API Hacking"
+login="Login"
+username="Username:"
+password="Password:"
+defaultLogin="Default Login:"
+adminAccount="Admin Account"
+userAccount="User Account"
+adminLogin="Hello Admin."
+userLogin="Hello User Account."
+welcomeSystem="Welcome to System!"
+updatePassword="Update Password"
+enterNewPassword="Enter New Password:"
+reset="Reset"
+logOut="Log out"
+passwordUpdated="Password Updated"
+ SuccesfulPassword="Password successfully updated"
+ NewSuccesfulPassword="Your new password has been successfully updated."
\ No newline at end of file
diff --git a/app/lab/api-hacking/api-1/fr.ini b/app/lab/api-hacking/api-1/fr.ini
new file mode 100644
index 0000000..3b649a4
--- /dev/null
+++ b/app/lab/api-hacking/api-1/fr.ini
@@ -0,0 +1,17 @@
+title="Piratage de l'API"
+login="Connexion"
+username="Nom d'utilisateur"
+password="Mot de passe"
+defaultLogin="Connexion par défaut"
+adminAccount="Compte administratif"
+userAccount="User Account"
+adminLogin="Bonjour Utilisateur Admin"
+userLogin="Bonjour compte utilisateur."
+welcomeSystem="Bienvenue dans le système !"
+updatePassword="Mise à jour du mot de passe"
+enterNewPassword="Entrez votre nouveau mot de passe :"
+reset="réinitialiser"
+logOut="Sortie"
+passwordUpdated="Mise à jour du mot de passe"
+ SuccesfulPassword="Mise à jour du mot de passe réussie"
+ NewSuccesfulPassword="Votre nouveau mot de passe a été mis à jour avec succès."
\ No newline at end of file
diff --git a/app/lab/api-hacking/api-1/index.php b/app/lab/api-hacking/api-1/index.php
new file mode 100644
index 0000000..e67aa07
--- /dev/null
+++ b/app/lab/api-hacking/api-1/index.php
@@ -0,0 +1,35 @@
+<?php
+require("../../../lang/lang.php");
+$strings = tr();
+?>
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title><?php echo $strings["login"] ?></title>
+    <link rel="stylesheet" href="style.css">
+    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-T3c6CoIi6uLrA9TneNEoa7RxnatzjcDSCmG1MXxSR1GAsXEV/Dwwykc2MPK8M2HN" crossorigin="anonymous">
+</head>
+<body>
+    <div class="container" style="width:30%; margin-top: 5%;">
+        <h2><?php echo $strings["login"] ?></h2>
+        <form action="login.php" method="POST">
+            <div class="input-group">
+                <label for="username"><?php echo $strings["username"] ?></label>
+                <input type="text" id="username" name="username" required>
+            </div>
+            <div class="input-group">
+                <label for="password"><?php echo $strings["password"] ?></label>
+                <input type="password" id="password" name="password" required>
+            </div>
+            <button class="btn btn-primary" type="submit"><?php echo $strings["login"] ?></button>
+            <p style="margin-top: 10px; font-weight: bold;"><?php echo $strings["defaultLogin"] ?><br>user / user</p>
+        </form>
+        <form action="reset.php" method="POST">
+        <button class="btn btn-primary" type="submit" style="width: 200px;"><?php echo $strings["reset"] ?></button>
+        </form>
+    </div>
+    <script id="VLBar" title="<?= $strings["title"]; ?>" category-id="13" src="/public/assets/js/vlnav.min.js"></script>
+</body>
+</html>
diff --git a/app/lab/api-hacking/api-1/login.php b/app/lab/api-hacking/api-1/login.php
new file mode 100644
index 0000000..d8c890b
--- /dev/null
+++ b/app/lab/api-hacking/api-1/login.php
@@ -0,0 +1,34 @@
+<?php
+
+// Check POST request 
+if ($_SERVER["REQUEST_METHOD"] == "POST") {
+    // Get username and password from POST data
+    $username = $_POST['username'];
+    $password = $_POST['password'];
+
+    // Read main1.json and get the content
+    $data = file_get_contents('main1.json');
+    $users = json_decode($data, true);
+
+    // Control users
+    foreach ($users as $user) {
+        // If username and password match
+        if ($user['username'] === $username && $user['password'] === $password) {
+            // User redirect
+            if ($username == 'admin') {
+                header("Location: adminindex.php");
+                exit();
+            } elseif ($username == 'user') {
+                header("Location: userindex.php");
+                exit();
+            } else {
+                header("Location: index.php");
+                exit();
+            }
+        }
+    }
+    // If there is no match, redirect back to the login page
+    header("Location: index.php");
+    exit();
+}
+
diff --git a/app/lab/api-hacking/api-1/main1.json b/app/lab/api-hacking/api-1/main1.json
new file mode 100644
index 0000000..1a43329
--- /dev/null
+++ b/app/lab/api-hacking/api-1/main1.json
@@ -0,0 +1,10 @@
+[
+    {
+        "username": "admin",
+        "password": "admin"
+    },
+    {
+        "username": "user",
+        "password": "user"
+    }
+]
diff --git a/app/lab/api-hacking/api-1/reset.php b/app/lab/api-hacking/api-1/reset.php
new file mode 100644
index 0000000..5968d95
--- /dev/null
+++ b/app/lab/api-hacking/api-1/reset.php
@@ -0,0 +1,18 @@
+<?php
+// To return the user information in the main1.json file to default values
+
+// Define default usernames and passwords
+$defaultUsers = array(
+    array("username" => "admin", "password" => "admin"),
+    array("username" => "user", "password" => "user")
+);
+
+// Convert to JSON format
+$defaultData = json_encode($defaultUsers, JSON_PRETTY_PRINT);
+
+// Write to main1.json
+file_put_contents('main1.json', $defaultData);
+
+// Redirect to Index page
+header("Location: index.php");
+exit;
diff --git a/app/lab/api-hacking/api-1/style.css b/app/lab/api-hacking/api-1/style.css
new file mode 100644
index 0000000..a569173
--- /dev/null
+++ b/app/lab/api-hacking/api-1/style.css
@@ -0,0 +1,42 @@
+        body {
+
+        height: 100vh;
+        margin: 0;
+    }
+
+    .container {
+        width: 300px;
+        padding: 20px;
+        border: 1px solid #ccc;
+        border-radius: 5px;
+        background-color: #f9f9f9;
+        text-align: center;
+    }
+
+    .input-group {
+        margin-bottom: 20px;
+    }
+
+    input[type="text"],
+    input[type="password"] {
+        width: calc(100% - 16px); /* Düğme genişliğini ayarlamak için */
+        padding: 8px;
+        margin-bottom: 10px;
+        border: 1px solid #203069;
+        border-radius: 4px;
+        box-sizing: border-box;
+    }
+
+    button {
+        width: calc(100% - 16px); /* Düğme genişliğini ayarlamak için */
+        padding: 10px;
+        border: none;
+        border-radius: 4px;
+        background-color: #203069;
+        color: white;
+        cursor: pointer;
+    }
+
+    button:hover {
+        background-color: #203069;
+    }
diff --git a/app/lab/api-hacking/api-1/tr.ini b/app/lab/api-hacking/api-1/tr.ini
new file mode 100644
index 0000000..195da94
--- /dev/null
+++ b/app/lab/api-hacking/api-1/tr.ini
@@ -0,0 +1,17 @@
+title="API Zaafiyeti"
+login="Giriş"
+username="Kullanıcı Adı:"
+password="Şifre:"
+defaultLogin="Varsayılan Giriş:"
+adminAccount="Admin Kullanıcı"
+userAccount="User Kullanıcı"
+adminLogin="Merhaba Admin Kullanıcısı"
+userLogin="Merhaba User Kullanıcısı."
+welcomeSystem="Sisteme Hoşgeldiniz!"
+updatePassword="Parolayı Güncelle"
+enterNewPassword="Yeni Şifrenizi Giriniz:"
+reset="Değişiklikleri Sıfırla"
+logOut="Çıkış Yap"
+passwordUpdated="Şifre Güncellendi"
+SuccesfulPassword="Şifre Başarıyla Güncellendi"
+NewSuccesfulPassword="Yeni şifreniz başarıyla güncellenmiştir."
\ No newline at end of file
diff --git a/app/lab/api-hacking/api-1/updatepassword.php b/app/lab/api-hacking/api-1/updatepassword.php
new file mode 100644
index 0000000..b84d5c8
--- /dev/null
+++ b/app/lab/api-hacking/api-1/updatepassword.php
@@ -0,0 +1,37 @@
+<?php
+// Veri gönderme işlemi için cURL kullanarak API'ye istek yapılır
+function sendRequest($url, $data) {
+    $ch = curl_init($url);
+    curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
+    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
+    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+    $response = curl_exec($ch);
+    curl_close($ch);
+    return $response;
+}
+
+// API endpoint
+//$apiUrl = "http://localhost:1337/lab/api-hacking/api-1/api.php";
+include "./api.php";
+
+// HTTP method
+$method = $_SERVER['REQUEST_METHOD'];
+
+// User update (POST)
+if ($method === 'POST') {
+    $username = $_GET['username'];
+    $newPassword = $_GET['newpassword'];
+
+    // Data to be sent to the API
+    $data = array(
+        'username' => $username,
+        'newpassword' => $newPassword
+    );
+
+    // Send request to API
+    $response = sendRequest($apiUrl, $data);
+
+    // Print the response from the API to the screen
+    echo $response;
+}
+
diff --git a/app/lab/api-hacking/api-1/userFound.php b/app/lab/api-hacking/api-1/userFound.php
new file mode 100644
index 0000000..9022380
--- /dev/null
+++ b/app/lab/api-hacking/api-1/userFound.php
@@ -0,0 +1,24 @@
+<?php
+require("../../../lang/lang.php");
+$strings = tr();
+?>
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title><?php echo $strings["passwordUpdated"] ?></title>
+    <link rel="stylesheet" href="style.css">
+    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-T3c6CoIi6uLrA9TneNEoa7RxnatzjcDSCmG1MXxSR1GAsXEV/Dwwykc2MPK8M2HN" crossorigin="anonymous">
+</head>
+<body>
+<div class="container" style="width: 500px; margin-top: 10%; ">
+        <h2><?php echo $strings["SuccesfulPassword"] ?></h2>
+        <p><?php echo $strings["NewSuccesfulPassword"] ?></p>
+        <form action="login.php" method="POST">
+            <button type="submit"><?php echo $strings["logOut"] ?></button>
+        </form>
+    </div>
+    <script id="VLBar" title="title" category-id="13" src="/public/assets/js/vlnav.min.js"></script>
+</body>
+</html>
\ No newline at end of file
diff --git a/app/lab/api-hacking/api-1/userindex.php b/app/lab/api-hacking/api-1/userindex.php
new file mode 100644
index 0000000..6d43d75
--- /dev/null
+++ b/app/lab/api-hacking/api-1/userindex.php
@@ -0,0 +1,29 @@
+<?php
+require("../../../lang/lang.php");
+$strings = tr();
+?>
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title><?php echo $strings["userAccount"] ?></title>
+    <link rel="stylesheet" href="style.css">
+    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-T3c6CoIi6uLrA9TneNEoa7RxnatzjcDSCmG1MXxSR1GAsXEV/Dwwykc2MPK8M2HN" crossorigin="anonymous">
+</head>
+<body>
+<div class="container" style="width: 500px; margin: 10% auto;">
+        <h2><?php echo $strings["userAccount"] ?></h2>
+        <p><?php echo $strings["userLogin"] ?></p>
+        <p><?php echo $strings["welcomeSystem"] ?></p>
+        <div class="update-password">
+            <form action="Indexupdatepassword.php" method="POST">
+            <input type="hidden" name="username" value="user">
+                <button type="submit"><?php echo $strings["updatePassword"] ?></button>
+            </form>
+            <a href="index.php" class="btn mt-3" style="background-color: #f00c3d;color: white; width:250px;"><?php echo $strings["logOut"] ?></a>
+        </div>
+    </div>
+    <script id="VLBar" title="<?= $strings["title"]; ?>" category-id="13" src="/public/assets/js/vlnav.min.js"></script>
+</body>
+</html>
diff --git a/app/main.json b/app/main.json
index 7a5356b..37dbcbf 100644
--- a/app/main.json
+++ b/app/main.json
@@ -996,5 +996,41 @@
             }
             
         ]
+    },
+    {
+        "id": 13,
+        "title": {
+            "en": "API Hacking",
+            "tr": "API Zaafiyeti",
+            "fr": "Piratage de l'API",
+            "ar": ""
+        },
+        "description": {
+            "en": "API hacking simply refers to malicious attacks on the APIs of an application or a system. APIs (Application Programming Interface) are interfaces that allow software applications to communicate with each other. Many web services and applications exchange data and extend their functionality through APIs.",
+            "tr": "API hacking, kısaca bir uygulamanın veya bir sistemin API'ları üzerinden yapılan kötü niyetli saldırıları ifade eder. API'lar (Application Programming Interface), yazılım uygulamalarının birbirleriyle iletişim kurmasını sağlayan arayüzlerdir. Birçok web hizmeti ve uygulama, API'ler aracılığıyla veri alışverişi yapar ve işlevselliğini genişletir.",
+            "fr": "Le piratage d'API fait brièvement référence aux attaques malveillantes sur les API d'une application ou d'un système. Les API (Application Programming Interface) sont des interfaces qui permettent aux applications logicielles de communiquer entre elles. De nombreux services web et applications échangent des données et étendent leurs fonctionnalités par le biais d'API.",
+            "ar": ""
+        },
+        "imgURL": "public/assets/img/vulns/api.png",
+        "labs": [
+            {
+                "id": 1,
+                "title": {
+                    "en": "IDOR with API Vulnerability",
+                    "tr": "API Zaafiyeti ile IDOR",
+                    "fr": "IDOR avec vulnérabilité de l'API",
+                    "ar": ""
+                },
+                "description": {
+                    "en": "Create IDOR by exploiting API Vulnerability. Manipulate the password information of User User and Admin User.",
+                    "tr": "API Zaafiyetini istismar ederek IDOR oluştur. User Kullanıcısı ile Admin Kullanıcısının password bilgisini manipüle et.",
+                    "fr": "Créer un IDOR en exploitant la vulnérabilité de l'API. Manipuler les informations de mot de passe de l'utilisateur et de l'administrateur.",
+                    "ar": ""
+                },
+                "url": "/lab/api-hacking/api-1",
+                "vulnID": 13
+            }
+        ]
     }
+    
 ]
\ No newline at end of file
diff --git a/app/public/assets/img/vulns/API.png b/app/public/assets/img/vulns/API.png
new file mode 100644
index 0000000..3faf2ab
Binary files /dev/null and b/app/public/assets/img/vulns/API.png differ
