5.1 Exercise 1: Classify the Vulnerability

AP Cybersecurity · Unit 5 · Topic 5.1 · Exercise 1

Classify the Vulnerability

Eight real-world breach scenarios. Match each to its primary OWASP Top 10 category. Predict before you read options — that's what the AP exam rewards.

8 Questions ~15 min Scored

How This Exercise Works

1. Read each scenario carefully. Identify what the attacker did and what went wrong.

2. Commit to a category before looking at the options (the ✎ yellow box reminds you).

3. Click your answer. You get immediate feedback explaining why that option is correct or why the trap option is wrong.

4. Your score updates as you go. Aim for 7 / 8 or better; if you score below 6, re-read sections 5.1.4 – 5.1.7 of the main lesson.

Score 0 / 8
Question 1

A banking app's login form runs the query SELECT * FROM users WHERE u='" + input + "'. An attacker types admin' -- in the username field and is logged in as admin with no password. Which category?

✎ Predict your answer before reading the options. Commit to one of: Injection, Broken Authentication, Broken Access Control, Sensitive Data Exposure / Cryptographic Failures, Vulnerable Components, or Security Misconfiguration.
Exam TipTrigger phrase: 'special characters in input' + 'SQL / HTML / shell' = Injection. Predict before looking.
Question 2

A patient portal lets logged-in users view records at URLs like /records/5821. A user discovers that changing the URL to /records/5822 returns another patient's full history. Authentication works correctly — only logged-in users can reach the page. Which category?

✎ Predict your answer before reading the options. Commit to one of: Injection, Broken Authentication, Broken Access Control, Sensitive Data Exposure / Cryptographic Failures, Vulnerable Components, or Security Misconfiguration.
Exam TipRule of thumb: authenticated user, but acts as someone they shouldn't = Broken Access Control. Not broken auth.
Question 3

A company discovers that its application debug logs — shipped to a third-party SaaS monitoring service — contain full HTTP request bodies. This includes passwords from login forms and credit card numbers from checkout. No one has been hacked yet. Which category best describes this finding?

✎ Predict your answer before reading the options. Commit to one of: Injection, Broken Authentication, Broken Access Control, Sensitive Data Exposure / Cryptographic Failures, Vulnerable Components, or Security Misconfiguration.
Exam TipSensitive Data Exposure doesn't require an attack. Data stored or transmitted unsafely is itself the vulnerability.
Question 4

An attacker obtains a valid session cookie by sniffing unencrypted Wi-Fi at a coffee shop. They paste the cookie into their own browser and are logged in as the victim, with full access to the victim's account. No password was ever exposed. Which primary category applies to the session-cookie theft itself?

✎ Predict your answer before reading the options. Commit to one of: Injection, Broken Authentication, Broken Access Control, Sensitive Data Exposure / Cryptographic Failures, Vulnerable Components, or Security Misconfiguration.
Exam TipStolen token = Broken Authentication. Note that the underlying enabler (no HTTPS) is Cryptographic Failures — a chained breach.
Question 5

A 2017 breach exposed 147 million records when attackers exploited a two-month-old unpatched vulnerability in an Apache Struts framework the company was using. Which OWASP category most directly describes the failure that allowed the breach?

✎ Predict your answer before reading the options. Commit to one of: Injection, Broken Authentication, Broken Access Control, Sensitive Data Exposure / Cryptographic Failures, Vulnerable Components, or Security Misconfiguration.
Exam TipTrigger phrase: 'known vulnerability' + 'patch was available' = Vulnerable and Outdated Components.
Question 6

A data breach releases a company's user database. Within 24 hours, plaintext passwords from millions of accounts appear on a forum. Investigators find the database stored passwords using MD5 hashing with no salt. Which category applies to the password exposure?

✎ Predict your answer before reading the options. Commit to one of: Injection, Broken Authentication, Broken Access Control, Sensitive Data Exposure / Cryptographic Failures, Vulnerable Components, or Security Misconfiguration.
Exam TipWeak hashing (MD5, SHA-1, unsalted) = Cryptographic Failures, not Broken Authentication. The login itself may work fine until the database leaks.
Question 7

An attacker submits this comment on a blog: . Every future visitor who views the comment unknowingly sends their session cookie to the attacker. Which category applies to the attack itself?

✎ Predict your answer before reading the options. Commit to one of: Injection, Broken Authentication, Broken Access Control, Sensitive Data Exposure / Cryptographic Failures, Vulnerable Components, or Security Misconfiguration.
Exam TipIf the scenario mentions a script tag, form field, or user-supplied content ending up interpreted by a browser = XSS = Injection category.
Question 8

During a penetration test, consultants find a production server's admin panel is accessible on a public IP address. The panel accepts the default credentials admin / admin that were never changed since deployment. Which category most directly applies?

✎ Predict your answer before reading the options. Commit to one of: Injection, Broken Authentication, Broken Access Control, Sensitive Data Exposure / Cryptographic Failures, Vulnerable Components, or Security Misconfiguration.
Exam TipWhen defaults, unused services, or exposed admin interfaces appear in a scenario = Security Misconfiguration. This is distinct from weak passwords alone.

Exercise Complete

— / 8

AP Cybersecurity · Unit 5 · Lesson 5.1 · Exercise 1
LessonExercise 1LabQuiz

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]