add: introduce 10 API security challenges

[r3y3r53]

Summary

This PR adds 10 new API security challenge environments and updates the challenge catalog/documentation.

Closes #9.

Added Challenges (10)

• api-bfla-role (Medium)
• api-bola-order (Easy)
• api-chain-exploit (Hard)
• api-gateway-bypass (Hard)
• api-jwt-kid-injection (Medium)
• api-oauth-redirect (Medium)
• api-property-exposure (Easy)
• api-rate-limit-bypass (Easy)
• api-version-leak (Medium)
• api-webhook-ssrf (Hard)

Challenge Details + OWASP API Security Top 10:2023 Mapping

• api-bfla-role -> OWASP API5:2023 Broken Function Level Authorization
  Missing role checks expose admin endpoints to any authenticated employee.
• api-bola-order -> OWASP API1:2023 Broken Object Level Authorization
  Order IDs can be enumerated to retrieve another user's order and embedded flag.
• api-chain-exploit -> OWASP API10:2023 Unsafe Consumption of APIs
  External JSON is trusted and rendered unsafely, enabling SSTI through upstream data.
• api-gateway-bypass -> OWASP API8:2023 Security Misconfiguration
  Gateway path filtering can be bypassed through percent-encoding and normalization gaps.
• api-jwt-kid-injection -> OWASP API2:2023 Broken Authentication
  SQL injection in JWT kid lookup lets attackers choose the signing key and forge admin tokens.
• api-oauth-redirect -> OWASP API2:2023 Broken Authentication
  Prefix-only redirect_uri validation leaks admin authorization codes to attacker-controlled listeners.
• api-property-exposure -> OWASP API3:2023 Broken Object Property Level Authorization
  User detail responses expose sensitive internal properties including the admin API key.
• api-rate-limit-bypass -> OWASP API4:2023 Unrestricted Resource Consumption
  Trusting X-Forwarded-For allows bypassing IP-based throttling for PIN brute force.
• api-version-leak -> OWASP API9:2023 Improper Inventory Management
  A deprecated unauthenticated API version remains accessible and exposes admin data.
• api-webhook-ssrf -> OWASP API7:2023 Server Side Request Forgery
  Webhook callback fetching can be abused to reach internal-only services and extract secrets.

What’s Included

• Added complete challenge assets for each new challenge (Dockerfile, docker-compose.yml, requirements.txt, app/, challenge.json).
• Updated index.json entries for the new API challenges.
• Updated README.md challenge table.
• Updated DEPLOYMENT_CHECKLIST.md package list and totals.
• Updated scripts/generate-index.js so the registry only indexes real challenge directories.
• Aligned the new API challenge set with the repo baseline: non-root containers, Flask 3.1.3, and standardized scoring metadata.
• Updated the remaining web challenge owaspCategory values from OWASP 2021 IDs to OWASP 2025 IDs.

Impact

• Total challenge count increased from 20 to 30.

Verification

• Challenge metadata is valid JSON (index.json + all challenge.json).
• API challenge Python sources parse successfully.
• Flask dependencies are standardized to 3.1.3 across the new challenge packages.
• API challenge containers now run as non-root appuser.
• index.json regenerates successfully with all 30 challenges.
• Confirm all new challenge images are built and published to GHCR.