Practice English vocabulary for web application penetration testing: OWASP Top 10, SQL injection, XSS, CSRF, IDOR, and reporting findings.
0 / 5 completed
1 / 5
The pentester used the industry-standard list of the 10 most critical web security risks to structure their test. Which phrase is correct?
'OWASP Top 10 as the test checklist' means using the Open Web Application Security Project's list of the 10 most critical web application security risks as the scope guide for the test.
2 / 5
The tester injected malicious SQL code into a login form and was able to retrieve all records from the users table. Which phrase is correct?
'The SQL injection allows data extraction' describes a critical vulnerability where an attacker can run arbitrary SQL queries through unsanitized input fields, exposing database contents.
3 / 5
The tester inserted JavaScript code into a comment field, and when another user viewed the comment, the script ran in their browser. Which phrase is correct?
'The XSS payload executes in the victim's browser' describes a Cross-Site Scripting attack where malicious JavaScript is stored and later executed in the context of another user's browser session.
4 / 5
The tester found that a sensitive action (deleting an account) can be triggered by a link clicked by a logged-in user, with no anti-forgery token present. Which phrase is correct?
'CSRF token is missing on the form submission' identifies a Cross-Site Request Forgery vulnerability. A CSRF token is a random value that proves the request originated from the legitimate application, not a malicious third-party site.
5 / 5
The tester found that changing a user ID in the API request URL returned another user's private data. Which vulnerability is this?
'IDOR' stands for Insecure Direct Object Reference — a vulnerability where an API uses predictable identifiers (like user IDs) without checking if the requester is authorized to access that resource.