5.1 Exercise 1: Classify the Vulnerability
Classify the Vulnerability
Eight real-world breach scenarios. Match each to its primary OWASP Top 10 category. Predict before you read options — that's what the AP exam rewards.
How This Exercise Works
1. Read each scenario carefully. Identify what the attacker did and what went wrong.
2. Commit to a category before looking at the options (the ✎ yellow box reminds you).
3. Click your answer. You get immediate feedback explaining why that option is correct or why the trap option is wrong.
4. Your score updates as you go. Aim for 7 / 8 or better; if you score below 6, re-read sections 5.1.4 – 5.1.7 of the main lesson.
A banking app's login form runs the query SELECT * FROM users WHERE u='" + input + "'. An attacker types admin' -- in the username field and is logged in as admin with no password. Which category?
A patient portal lets logged-in users view records at URLs like /records/5821. A user discovers that changing the URL to /records/5822 returns another patient's full history. Authentication works correctly — only logged-in users can reach the page. Which category?
A company discovers that its application debug logs — shipped to a third-party SaaS monitoring service — contain full HTTP request bodies. This includes passwords from login forms and credit card numbers from checkout. No one has been hacked yet. Which category best describes this finding?
An attacker obtains a valid session cookie by sniffing unencrypted Wi-Fi at a coffee shop. They paste the cookie into their own browser and are logged in as the victim, with full access to the victim's account. No password was ever exposed. Which primary category applies to the session-cookie theft itself?
A 2017 breach exposed 147 million records when attackers exploited a two-month-old unpatched vulnerability in an Apache Struts framework the company was using. Which OWASP category most directly describes the failure that allowed the breach?
A data breach releases a company's user database. Within 24 hours, plaintext passwords from millions of accounts appear on a forum. Investigators find the database stored passwords using MD5 hashing with no salt. Which category applies to the password exposure?
An attacker submits this comment on a blog: . Every future visitor who views the comment unknowingly sends their session cookie to the attacker. Which category applies to the attack itself?
During a penetration test, consultants find a production server's admin panel is accessible on a public IP address. The panel accepts the default credentials admin / admin that were never changed since deployment. Which category most directly applies?
Exercise Complete
—
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]