5.5 Lab: AppSec Control Recommendations

AP Cybersecurity · Unit 5 · Topic 5.5 · Lab

AppSec Control Recommendations

You are the on-call AppSec lead. Six incident tickets are in your queue. For each, identify the correct OWASP category and recommend the triage action — the one that fixes the root cause while still making sense operationally.

6 Tickets ~20 min Applied · Scored

Triage Rules

Match root cause to structural fix. The correct answer is the one that eliminates the vulnerability rather than detecting or filtering the attack.

Compensating controls are second, never first. “Deploy a WAF” is rarely the top-line answer. “Rotate the keys” is reactive, not preventive.

Watch the trap categories. Injection looks like misconfiguration; CSRF looks like XSS; access control looks like authentication. Read carefully.

Score0 / 6
Question 1
Ticket #5501 — Priority: P1 / Critical

Reporter: Senior engineer, payment-processing team
Incident: Code review of a recently merged PR found this in the refund endpoint:

refund_id = request.GET['refund_id']
cmd = "python /opt/tools/refund.py " + refund_id
os.system(cmd)


The refund_id comes directly from a URL parameter. A penetration test confirmed that submitting ?refund_id=1234;rm -rf /var/logs/ executed both the refund and the destructive shell command. As triage lead, what category is this, and what is your immediate action?
✎ Predict: where does untrusted input meet the shell, and what's the structural fix?
Question 2
Ticket #5514 — Priority: P1 / Critical

Reporter: SIEM alerting on authentication volume
Incident: Over the last 4 hours, the login endpoint received 88,000 requests from 12,000 unique residential-proxy IP addresses. 1,247 accounts were successfully logged into with valid password/email combinations. The passwords match known credentials from a 2021 breach of an unrelated site. The login endpoint has per-IP rate limiting at 20 requests/minute. What is your immediate action?
✎ Predict: valid creds across many IPs = credential stuffing. What breaks it?
Question 3
Ticket #5527 — Priority: P2 / High

Reporter: Frontend engineer
Incident: Users report that their account dashboard occasionally shows someone else's account data after a browser refresh. Investigation finds a CDN caches HTML responses per URL; when User A loads /dashboard, the response is cached and then returned to User B who makes the same request within 5 minutes. The HTML response contains User A's session-scoped data. The framework does not set Cache-Control: private on authenticated responses. What is your root-cause fix?
✎ Predict: the issue is that authenticated content is being cached publicly. What HTTP header fixes it?
Question 4
Ticket #5533 — Priority: P1 / Critical

Reporter: Customer support escalation
Incident: A user reports that after visiting a link shared in an email, their payment method on file was changed to an attacker-controlled debit card. Forensic review finds the attacker hosted a malicious page at attacker-bait.example containing a hidden form that auto-submits to /api/user/payment-method on the victim's banking domain. The victim's browser, already logged into the bank, attached the session cookie automatically, and the server executed the payment-method change. What combination is the correct triage?
✎ Predict: attack used the victim's session on a cross-site request. What cookie flag plus token pattern blocks this?
Question 5
Ticket #5541 — Priority: P2 / High

Reporter: Bug bounty researcher
Incident: The researcher reports that the "export my data" feature returns a URL in the format /exports/user-exports/12045-data.zip. By changing the number in the URL to 12046, the researcher successfully downloaded another user's export. The backend verifies that the user is authenticated but does not check that the export belongs to them. An access control header X-User-ID is set by an upstream proxy but only checked on some endpoints. What is the category and your immediate action?
✎ Predict: the user is authenticated but can access other users' resources. Which OWASP category?
Question 6
Ticket #5548 — Priority: P1 / Critical

Reporter: On-call engineer, noticed unusual process activity
Incident: The server received a POST to /api/import-backup with a Python pickle payload in the body. The endpoint's code deserializes the body via pickle.loads(request.body) to import user-supplied backup data. Process monitoring observed the API process spawn a reverse shell to an attacker IP shortly after the request. Which is the correct root-cause fix?
✎ Predict: pickle.loads on user input = arbitrary code execution. What format eliminates this?

Triage Complete

Final Score: 0 / 6

AP Cybersecurity · Unit 5 · Lesson 5.5 · Lab

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]