5.5 Lab: AppSec Control Recommendations
AppSec Control Recommendations
You are the on-call AppSec lead. Six incident tickets are in your queue. For each, identify the correct OWASP category and recommend the triage action — the one that fixes the root cause while still making sense operationally.
Triage Rules
Match root cause to structural fix. The correct answer is the one that eliminates the vulnerability rather than detecting or filtering the attack.
Compensating controls are second, never first. “Deploy a WAF” is rarely the top-line answer. “Rotate the keys” is reactive, not preventive.
Watch the trap categories. Injection looks like misconfiguration; CSRF looks like XSS; access control looks like authentication. Read carefully.
Reporter: Senior engineer, payment-processing team
Incident: Code review of a recently merged PR found this in the refund endpoint:
refund_id = request.GET['refund_id']
cmd = "python /opt/tools/refund.py " + refund_id
os.system(cmd)The refund_id comes directly from a URL parameter. A penetration test confirmed that submitting
?refund_id=1234;rm -rf /var/logs/ executed both the refund and the destructive shell command. As triage lead, what category is this, and what is your immediate action?Reporter: SIEM alerting on authentication volume
Incident: Over the last 4 hours, the login endpoint received 88,000 requests from 12,000 unique residential-proxy IP addresses. 1,247 accounts were successfully logged into with valid password/email combinations. The passwords match known credentials from a 2021 breach of an unrelated site. The login endpoint has per-IP rate limiting at 20 requests/minute. What is your immediate action?
Reporter: Frontend engineer
Incident: Users report that their account dashboard occasionally shows someone else's account data after a browser refresh. Investigation finds a CDN caches HTML responses per URL; when User A loads
/dashboard, the response is cached and then returned to User B who makes the same request within 5 minutes. The HTML response contains User A's session-scoped data. The framework does not set Cache-Control: private on authenticated responses. What is your root-cause fix?Reporter: Customer support escalation
Incident: A user reports that after visiting a link shared in an email, their payment method on file was changed to an attacker-controlled debit card. Forensic review finds the attacker hosted a malicious page at
attacker-bait.example containing a hidden form that auto-submits to /api/user/payment-method on the victim's banking domain. The victim's browser, already logged into the bank, attached the session cookie automatically, and the server executed the payment-method change. What combination is the correct triage?Reporter: Bug bounty researcher
Incident: The researcher reports that the "export my data" feature returns a URL in the format
/exports/user-exports/12045-data.zip. By changing the number in the URL to 12046, the researcher successfully downloaded another user's export. The backend verifies that the user is authenticated but does not check that the export belongs to them. An access control header X-User-ID is set by an upstream proxy but only checked on some endpoints. What is the category and your immediate action?Reporter: On-call engineer, noticed unusual process activity
Incident: The server received a POST to
/api/import-backup with a Python pickle payload in the body. The endpoint's code deserializes the body via pickle.loads(request.body) to import user-supplied backup data. Process monitoring observed the API process spawn a reverse shell to an attacker IP shortly after the request. Which is the correct root-cause fix?Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]