Practise plain-English descriptions and vocabulary for the OWASP Top 10 web application security risks.
0 / 6 completed
1 / 6
SQL injection (OWASP A03) occurs when:
SQL injection: attacker inserts SQL code into an input field. If the application concatenates user input into queries unsanitised, the injected SQL executes with the application's database privileges.
2 / 6
Broken Access Control (OWASP A01) means:
Broken access control is the top OWASP risk. Examples: IDOR (accessing /users/456's data as user 123), privilege escalation, missing function-level access control — anywhere authorisation checks are absent or bypassable.
3 / 6
Cross-Site Scripting (XSS) is best described as:
XSS: malicious script runs in the victim's browser under the trusted domain's context. Stored XSS (script saved in DB), Reflected XSS (script in URL parameter), DOM-based XSS (client-side manipulation).
4 / 6
Security Misconfiguration (OWASP A05) includes which of the following?
Security misconfiguration is the most prevalent vulnerability category. It includes: default credentials unchanged, debug mode on in production, directory listing enabled, cloud storage buckets set to public, unnecessary services running.
5 / 6
Insecure Direct Object Reference (IDOR) is an example of:
IDOR example: changing /api/invoice/1001 to /api/invoice/1002 in the URL returns another user's invoice. The server trusted the ID without checking whether the requesting user owns that resource.
6 / 6
A Cryptographic Failure (OWASP A02) is present when:
Cryptographic failures expose sensitive data. This includes: using deprecated hash functions (MD5, SHA-1) for passwords instead of bcrypt/Argon2, not enforcing HTTPS, weak cipher suites, or keys stored in version control.