5.1 Lab: AppSec Triage Desk

AP Cybersecurity · Unit 5 · Topic 5.1 · Lab

AppSec Triage Desk

You are the on-call AppSec analyst. Six tickets just landed in your queue. For each one, classify the OWASP category and choose the correct immediate action.

6 Tickets ~20 min Applied · Scored

Triage Rules

Each ticket: identify the OWASP category, then pick the action that fixes the root cause (not a symptom).

Watch for trap actions: changing passwords when the attack didn't need a password; adding firewalls against application-layer attacks; blacklisting input when parameterization is the real fix.

One ticket (Ticket 1051) accepts two answers — the OWASP categories overlap in that case. All other tickets have exactly one best answer.

Score0 / 6
Question 1
Ticket #1047 — Priority: Urgent

A junior developer commits this code to the login endpoint:

query = "SELECT id FROM users WHERE email='" + email + "' AND pw='" + pw + "'"

A code reviewer flags it. As the AppSec triage lead, what category and what's your immediate action?
✎ Predict before reading options. Commit to a category first.
Exam TipReviewing code, see string concatenation into SQL → REJECT. Parameterized queries are non-negotiable. No amount of filtering is equivalent.
Question 2
Ticket #1048 — Priority: Medium

Customer support reports that three users have complained: each logged in, then saw someone else's shopping cart. All three were using the same public library Wi-Fi. No attack is alleged.

Your classification and immediate next step?
✎ Predict before reading options. Commit to a category first.
Exam TipMultiple users seeing each other's data on shared networks = session tokens that aren't properly isolated. That's a Broken Authentication failure — the identity verification system is confusing identities.
Question 3
Ticket #1049 — Priority: High

A threat intel feed alerts that a popular npm package your team depends on has a newly disclosed Remote Code Execution vulnerability. A patch exists. Your app is running a version with the bug.

Category and action?
✎ Predict before reading options. Commit to a category first.
Exam TipKnown CVE + patch available = Vulnerable Components category. Patch. Audit for past exploitation. Done.
Question 4
Ticket #1050 — Priority: Low

A security researcher reports that the password-reset email link remains valid for 30 days, the generated token is only 8 alphanumeric characters, and no rate limiting exists on the reset endpoint.

Category and action?
✎ Predict before reading options. Commit to a category first.
Exam TipPassword-reset flow issues = Broken Authentication. Reset tokens are auth credentials with a short lifetime; treat them like passwords.
Question 5
Ticket #1051 — Priority: Urgent

A customer demo revealed that the app's error page displays the full SQL query when a database error occurs, including table names and column names. Marketing reports have been taking screenshots for two years.

Category and action?
✎ Predict before reading options. Commit to a category first.
Exam TipVerbose errors in production = information disclosure. Map to Sensitive Data Exposure or Security Misconfiguration (the exam accepts either). Fix: generic user-facing messages, details logged server-side.
Question 6
Ticket #1052 — Priority: Critical

Incident response escalates: an attacker successfully submitted a GET request to /admin/export?user=all&format=csv and downloaded a list of every user's email, phone, and SSN. They were logged in as a regular user. The endpoint had no role check. Full production downtime is not an option — there are 40,000 active users right now.

Category and action?
✎ Predict before reading options. Commit to a category first.
Exam TipAuthenticated user + URL they shouldn't access + no role check = Broken Access Control. The operational patch order matters: stop the bleeding (WAF), fix the code (authz check), notify (disclosure).

Lab Complete

— / 6

AP Cybersecurity · Unit 5 · Lesson 5.1 · Lab

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]