🛡️ OWASP Top 10 Vocabulary
5 exercises — injection, broken auth, IDOR, security misconfiguration — communicating OWASP Top 10 vulnerabilities in English. Intermediate
0 / 5 completed
1 / 5
A security engineer says: "This endpoint is vulnerable to injection because user input is interpolated directly into the SQL query."
Which OWASP Top 10 category does this finding reflect?
Injection (A03 in OWASP Top 10 2021, formerly A01) occurs when untrusted data is sent to an interpreter as part of a command or query.
| OWASP Category | Key signal | Classic example |
|---|---|---|
| Injection | Input interpolated into a query or command | SQL injection, command injection, LDAP injection |
| Broken Authentication | Weak session management, password handling | Credential stuffing, session fixation |
| Security Misconfiguration | Default credentials, debugging enabled in production | Debug endpoints exposed, S3 bucket public |
| IDOR | Direct reference to internal objects without authorisation check | /api/invoice/1042 accessible by any user |
Key vocabulary:
- Interpolated directly — user input inserted into a string that becomes a SQL command without escaping or parameterisation
- Untrusted input — data originating from user-controlled sources that cannot be trusted to be safe
- Parameterised query (prepared statement) — the mitigation: bind user input as typed parameters, never as SQL text