You are the on-call AppSec analyst. Six tickets just landed in your queue. For each one, classify the OWASP category and choose the correct immediate action.
6 Tickets~20 minApplied · Scored
Triage Rules
Each ticket: identify the OWASP category, then pick the action that fixes the root cause (not a symptom).
Watch for trap actions: changing passwords when the attack didn't need a password; adding firewalls against application-layer attacks; blacklisting input when parameterization is the real fix.
One ticket (Ticket 1051) accepts two answers — the OWASP categories overlap in that case. All other tickets have exactly one best answer.
Score0 / 6
Question 1
Ticket #1047 — Priority: Urgent
A junior developer commits this code to the login endpoint:
query = "SELECT id FROM users WHERE email='" + email + "' AND pw='" + pw + "'"
A code reviewer flags it. As the AppSec triage lead, what category and what's your immediate action?
✎ Predict before reading options. Commit to a category first.
Exam TipReviewing code, see string concatenation into SQL → REJECT. Parameterized queries are non-negotiable. No amount of filtering is equivalent.
Question 2
Ticket #1048 — Priority: Medium
Customer support reports that three users have complained: each logged in, then saw someone else's shopping cart. All three were using the same public library Wi-Fi. No attack is alleged.
Your classification and immediate next step?
✎ Predict before reading options. Commit to a category first.
Exam TipMultiple users seeing each other's data on shared networks = session tokens that aren't properly isolated. That's a Broken Authentication failure — the identity verification system is confusing identities.
Question 3
Ticket #1049 — Priority: High
A threat intel feed alerts that a popular npm package your team depends on has a newly disclosed Remote Code Execution vulnerability. A patch exists. Your app is running a version with the bug.
Category and action?
✎ Predict before reading options. Commit to a category first.
Exam TipKnown CVE + patch available = Vulnerable Components category. Patch. Audit for past exploitation. Done.
Question 4
Ticket #1050 — Priority: Low
A security researcher reports that the password-reset email link remains valid for 30 days, the generated token is only 8 alphanumeric characters, and no rate limiting exists on the reset endpoint.
Category and action?
✎ Predict before reading options. Commit to a category first.
Exam TipPassword-reset flow issues = Broken Authentication. Reset tokens are auth credentials with a short lifetime; treat them like passwords.
Question 5
Ticket #1051 — Priority: Urgent
A customer demo revealed that the app's error page displays the full SQL query when a database error occurs, including table names and column names. Marketing reports have been taking screenshots for two years.
Category and action?
✎ Predict before reading options. Commit to a category first.
Exam TipVerbose errors in production = information disclosure. Map to Sensitive Data Exposure or Security Misconfiguration (the exam accepts either). Fix: generic user-facing messages, details logged server-side.
Question 6
Ticket #1052 — Priority: Critical
Incident response escalates: an attacker successfully submitted a GET request to /admin/export?user=all&format=csv and downloaded a list of every user's email, phone, and SSN. They were logged in as a regular user. The endpoint had no role check. Full production downtime is not an option — there are 40,000 active users right now.
Category and action?
✎ Predict before reading options. Commit to a category first.
Exam TipAuthenticated user + URL they shouldn't access + no role check = Broken Access Control. The operational patch order matters: stop the bleeding (WAF), fix the code (authz check), notify (disclosure).
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed.
Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Typically responds within 24 hours
✓
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.