How Much do You Know About AppSec?

1/40

0:00

How Much do You Know About AppSec?

The Ultimate AppSec Trivia Challenge is a fun and educational game that tests your application security knowledge. The game consists of questions ranging from easy to hard, all related to application security.

What position is Injection on OWASP TOP 10 2021

Level: Easy

Injection vulnerabilities have been in the OWASP Top 10 since its creation.

10th

5th

4th

3rd

What does OWASP stand for?

Level: Easy

In 2023 OWASP changed its name from Open Web Application Security Project, to make it more inclusive to the different aspects of application security.

Open Web Application Security Project

Open Worldwide Application Security Project

Open Web Application Security Protocol

What will appear on the page?

Level: Easy

The noscript tag prevents the script tag from being interpreted.

hello

alert

the script will appear

xss

What does CIA in the CIA triad stand for?

Confidentiality, Integrity, Availability

Central Intelligence Agency

Confidentiality, Intelligence, Availability

What is the newer name for Insecure Direct Object Reference vulnerabilities?

BOLA or Broken Object Level Authorization

IBAS or Insecure Bypass of Authorization Systems

What does CSRF stand for?

Cross-Side Result Forgery

Cross-Side Request Forgery

Cross-Site Request Forgery

Cross-Site Result Forgery

If an unauthenticated user can access a private URL from a privileged user, what is the associated OWASP Top 10 risk?

A02 – Cryptographic Failures

A01 - Broken Access Control

A03 – Injection

If your application logs can be tampered with, which OWASP Top 10 risk is applicable?

A03 – Injection

A06 – Vulnerable and Outdated Components

A09 - Security Logging and Monitoring Failures

What is the other name for Clickjacking?

UI Redressing

UX Redressing

Phishing

Heartbleed

What risk is in the last position of the OWASP Top 10?

Broken Access Control

Server-Side Request Forgery

Vulnerable and Outdated Components

What is the vulnerability?

ASP.NET tracing enabled

TOCTOU, time-of-check to time-of-use, or race condition.

Insecure PHP Object deserialization

You are using Windows XP. Which OWASP Top 10 risk applies here?

Windows XP support ended in 2014.

A06 Vulnerable and Outdated Components

A04 Insecure Design

A05 Security Misconfiguration

You see this in a browser. What OWASP Top 10 risk does it refer to?

A04 Insecure Design

A05 Security Misconfiguration

A09 - Security Logging and Monitoring Failures

A03 – Injection

In which year was the OWASP Top 10 published for the first time?

2000

2003

1997

2011

The usage of “questions and answers” in a credential recovery workflow can be associated with which OWASP Top 10 risk?

Various industry guidelines and standards, such as OWASP ASVS, OWASP Top 10, and NIST 800-63b consider this an insecure design.

A03 – Injection

A05 Security Misconfiguration

A04 - Insecure Design

A10 – Server-Side Request Forgery (SSRF)

RSA stands for?

These are the first names of the three creators of the widely used RSA cryptographic algorithm

Rivest, Shamir, Adleman

Research, Security, Analytics

Ransomware, Scripting, Access

Name the 3 types of XSS

Reflected, Scripted, and XSS based

Reflected, Stored, and DOM based

A software distribution system that doesn’t provide integrity assurances is violating which OWASP Top 10 risk?

A08 - Software and Data Integrity Failures

A05 Security Misconfiguration

A10 – Server-Side Request Forgery (SSRF)

A padding oracle vulnerability refers to which risk of the OWASP Top 10?

A05 Security Misconfiguration

A02 - Cryptographic Failures

A06 Vulnerable and Outdated Components

Which cookie attribute prevents CSRF?

path

Sidejacking

SameSite

What is the authentication algorithm used in the following cipher suite:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

RSA: The 1st part is the key exchange algorithm, 2nd, the authentication, 3rd encryption, and 4th is the MAC.

ECDH

RSA

PSK

SSDLC Stands for?

Software Secured Development Life Cycle

Software Section Development Life Cycle

Secure Software Development Life Cycle

The HTTP 429 response code means?

Too many requests

Unprocessable Content

Precondition Required

Request Header Fields Too Large

Will the alert execute?

HTTP/1.1 200 OK

date: Thu, 06 Apr 2023 21:53:38 GMT

strict-transport-security: max-age=31536000; includeSubDomains

vary: origin,accept-encoding

content-type: application/json; charset=utf-8

x-content-type-options: nosniff

x-frame-options: DENY

x-xss-protection: 1; mode=block

<html><body><h1>Hello <script>alert(13)</script></h1></body></html>

No, because the content-type is application/json, which will not be rendered by the browser.

Yes

CVSS stands for?

Common Vulnerability Scoring Software

Common Vulnerability Scoring System

What is the PR in CVSS?

Privileges Required: It can have three values: None, Low or High

Privileges Required

Privileges Restricted

Name the attack.

GET /?error=foobar%0d%0aSet-Cookie:+sessionid=abcdef

host: example.com

HTTP/1.1 301 Moved Permanently

Location: /index?error=foobar

Set-Cookie: sessionid=abcdef

HTTP response splitting

Cross-User Defacement

Page Hijacking

What vulnerability is this payload used for?

${T(java.lang.System).getenv()}

Server Side Request Forgery (SSRF)

SSTI or Server-Side Template Injection

What does SBOM stands for?

Software Bill of Materials. SBOM’s are an inventory of all the components of a given software.

Software Bill of Materials

Super Burrito of Mayhem

Security Bill of Materials

sqlmap -D parameter is used for:

Alter database compatibility level

Setting the database name

What is AWS metadata IP:

245.169.169.254

169.254.638.254

169.254.169.254

How old can cookies be before the SameSite Lax-Allowing-Unsafe enforces the Lax rules?

Cookies newer than 2 minutes, can be sent on requests cross-domain, just like in a SameSite=None scenario. After 2 minutes, the Lax configuration is applied.

Newer than 2 minutes

Newer than 1 minute

Newer than 10 minutes

What is the name of the first XSS worm:

Sam

Samy

Squirt

Squiggily

Will the alert execute?

GET /?name=<script>alert(13)<%2Fscript> HTTP/1.1
host: example.com

HTTP/1.1 200 OK

date: Thu, 06 Apr 2023 21:53:38 GMT

content-security-policy: default-src js.example.com;

x-content-type-options: nosniff

x-frame-options: DENY

x-xss-protection: 1; mode=block
referer: example.com/?name=<script>alert(13)<%2Fscript>

<html><body><h1>Hello <script>alert(13)</script></h1></body></html>

Answer:
No, because the Content Security Policy only allows for JavaScript from js.example.com

No.

Yes.

Purple.

In a SQL injection payload, what can you use instead of whitespaces?

For instance, 0/**/or/**/1 is the same as 0 or 1.

SQL comments

Lexical Structure

Constants

What is the CVSS rating of:

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H?

9.0 or Critical. It is not a 10 because the Attack Complexity (AC) is High (H) and not Low (L)

3.9 or Low.

9.0 or Critical.

7.0 or High

4.0 or Medium

What is the E in CVSS 3 Temporal Score?

Exploit Code Maturity

Environmental Metrics

The “goto fail;” vulnerability affected which functionality?

The signature verification of the Server Key Exchange in the SSL/TLS protocol of iOS devices.

The signature verification of the Server Key Exchange in the SSL/TLS protocol of android devices.

List the OWASP Top 10 in order, from A01 to A10.

A):

A01 Broken Access Control
A02 Cryptographic Failures
A03 Injection
A04 Insecure Design
A05 Security Misconfiguration
A06 Vulnerable and Outdated Components
A07 Identification and Authentication Failures
A08 Software and Data Integrity Failures
A09 Security Logging and Monitoring Failures
A10 Server-Side Request Forgery (SSRF)

B):

A01 Broken Access Control
A02 Cryptographic Failures

A03 Insecure Design

A04 Injection
A05 Security Misconfiguration
A06 Vulnerable and Outdated Components

A07 Software and Data Integrity Failures
A08 Identification and Authentication Failures
A09 Security Logging and Monitoring Failures
A10 Server-Side Request Forgery (SSRF)

Name one of the two most common JWT signing algorithms

ES256 (ECDSA using P-256 and SHA-256)

HS256 (HMAC using SHA256), or RS256 (RSA using SHA256)

You got {number correct}/{number of questions} correct answers

Well, You are a Newbie!

It seems you are just starting out. Your effort is commendable though.

You got {number correct}/{number of questions} correct answers

Awesome! You are experienced!

Well done! You have an understanding of Appsec fundamentals.

You got {number correct}/{number of questions} correct answers

Whoa! You are an Expert!

That's some great score!

You have an excellent hold on all the nuances of Appsec. People learn from you, but don't forget there is always room for improvement. Keep on learning and inspiring others. The digital world needs you!