OWASP

0%
Theory
Quiz

    Owasp Fundamentals & Resources

    • What is OWASP, and why is it important for application security?

      Junior
    • Can you explain the OWASP Top 10 and its purpose?

      Junior
    • Can you list the Top 10 OWASP vulnerabilities?

      Junior
    • What are common types of application vulnerabilities?

      Junior
    • How does OWASP identify the top vulnerabilities?

      Junior
    • What is the OWASP Cheat Sheet Series, and how would you use it?

      Junior
    • Can you describe the OWASP risk rating system?

      Mid
    • What are CVE, CVSS, and CWE, and how do they relate to each other?

      Mid
    • What is the OWASP API Security Top 10, and how does it differ from the main Top 10?

      Mid
    • How did the OWASP Top 10 change from 2017 to 2021, and what new categories were introduced?

      Mid
    • What is the OWASP Top 10 for Agentic Applications and concepts like 'least agency'?

      Senior
    • What is the OWASP LLM/GenAI Top 10, and what are some of its key risk categories?

      Senior

    Secure Design Principles

    • What are secure coding practices?

      Junior
    • Can you describe the concepts of Least Privilege and Defense in Depth?

      Junior
    • Explain the principle of least privilege in application security.

      Junior
    • Why must access control always be enforced on the server side, and what goes wrong when it's only enforced client-side?

      Junior
    • Can you explain Insecure Design and how to mitigate it?

      Mid
    • What is Insecure Design, and how does it manifest in applications?

      Mid
    • Can you explain the concept of zero trust security?

      Mid
    • Can you explain secure design principles?

      Mid
    • Explain the concept of 'secure by default' and provide examples of how it can be applied in application development.

      Mid
    • Discuss the importance of defense in depth in application security.

      Mid
    • What is the difference between security by design and security by obscurity?

      Mid
    • What does 'fail securely' or 'fail closed' mean, and why is it a secure design principle?

      Mid
    • Why is minimizing attack surface an important security goal, and how do you do it?

      Mid
    • What is the principle of complete mediation in access control?

      Senior
    • What is separation of duties, and how does it apply to application security?

      Senior
    • What are misuse and abuse cases, and how do they complement security requirements?

      Senior

    Injection Attacks

    • What is SQL Injection? Can you explain how it works and describe common prevention techniques?

      Junior
    • Why is input validation crucial for application security, and what are different approaches to it (e.g., allowlisting vs. denylisting)?

      Junior
    • What is an injection in the context of OWASP?

      Junior
    • Why are parameterized queries or prepared statements considered the primary defense against SQL Injection?

      Mid
    • Beyond SQL, what other types of injection vulnerabilities are common (e.g., OS Command Injection, NoSQL Injection, XSS)?

      Mid
    • Can you explain the role of input validation and output encoding in preventing injection attacks, and how they differ?

      Mid
    • Can you explain Remote Code Execution (RCE)?

      Mid
    • What is XML External Entity (XXE) Injection and how can it be prevented?

      Mid
    • Explain Mass Assignment vulnerabilities and how to prevent them in web applications.

      Mid
    • What is fuzzing, and what class of vulnerabilities is it best suited to find?

      Mid
    • How would you differentiate between the various types of SQL Injection (e.g., in-band, blind, out-of-band)?

      Senior
    • What is Server-Side Template Injection (SSTI) and what are its common attack vectors and defenses?

      Senior
    • What is Insecure Deserialization and why is it considered a critical vulnerability?

      Senior
    • What are race conditions and TOCTOU flaws, and why are they considered security bugs?

      Senior

    Owasp Projects & Tools

    • What is a Web Application Firewall (WAF), and how does it help protect web applications?

      Junior
    • Does OWASP provide any guides for web security testing?

      Junior
    • Is the Web Security Testing Guide recommended for learning more about security testing?

      Junior
    • What is the primary goal of the Web Security Testing Guide?

      Junior
    • What is the Mobile Security Testing Guide?

      Junior
    • What is OWASP ESAPI?

      Mid
    • What are OWASP WebGoat and WebScarab?

      Mid
    • What are OWASP Dependency-Check and Dependency-Track, and what problem do they solve?

      Mid
    • Can you explain the OWASP Application Security Verification Standard (ASVS) and its different levels (L1, L2, L3)?

      Senior
    • Can you explain OWASP SAMM (Software Assurance Maturity Model) and its purpose?

      Senior

    Threat Modeling

    • Can you explain the term 'threat modeling' and its importance in application security?

      Mid
    • Can you explain the concept of data flow diagrams in threat modeling?

      Mid
    • What are best practices for threat modeling?

      Mid
    • Can you describe the STRIDE threat modeling methodology and provide an example for each category?

      Senior
    • Can you explain the concept of attack trees and how they are used in threat modeling?

      Senior
    • How do you integrate threat modeling into an agile development process?

      Senior
    • How do you ensure threat modeling is conducted regularly throughout the software development lifecycle?

      Senior
    • How do you threat model and secure code you don't own but consume in your products?

      Senior
    • Describe the process of threat modeling in the context of application security.

      Senior
    • Can you explain the DREAD risk-rating model and how it's used to prioritize threats?

      Senior

    Cryptography

    • What is the difference between encryption and hashing, and when would you use each?

      Junior
    • What is the difference between symmetric and asymmetric encryption, and when would you use each in an application?

      Junior
    • What is the difference between encoding, encryption, and hashing?

      Junior
    • Why should you never roll your own cryptography?

      Junior
    • Can you explain Cryptographic Failures and how to mitigate them?

      Mid
    • What are Cryptographic Failures, and what are common causes of this vulnerability?

      Mid
    • What are the security implications of using weak or outdated cryptographic algorithms or protocols (e.g., MD5, SHA1, SSL/TLS 1.0)?

      Mid
    • How do you ensure data encryption in transit and at rest in your applications?

      Mid
    • Why did OWASP rename "Sensitive Data Exposure" to "Cryptographic Failures" in the Top 10?

      Senior
    • What are common mistakes developers make when implementing cryptography or managing cryptographic keys?

      Senior
    • Why is proper certificate validation important, and what is certificate pinning?

      Senior
    • How should applications manage secrets and handle key rotation?

      Senior

    Authentication & Session Management

    • What is the difference between authentication and authorization?

      Junior
    • What is multi-factor authentication, and why does it significantly reduce authentication risk?

      Junior
    • How do you securely store passwords in a web application?

      Mid
    • How can the danger of weak session management and authentication be reduced?

      Mid
    • How would you secure the use of cookies in a web application?

      Mid
    • Explain Session Fixation and its countermeasures.

      Mid
    • What is the difference between stateful and stateless authentication, and what are the security implications of each?

      Mid
    • What is the difference between credential stuffing and brute-force attacks, and how do you defend against each?

      Mid
    • What is account enumeration, and how do you prevent it in login, registration, and password-reset flows?

      Mid
    • How would you design a secure password reset flow?

      Mid
    • What are salting and peppering in password storage, and why do they matter?

      Mid
    • How do you choose an appropriate password-hashing algorithm (bcrypt, scrypt, Argon2, PBKDF2), and what makes them suitable for passwords?

      Mid
    • Where should authentication tokens like JWTs be stored on the client, and what are the trade-offs of cookies vs localStorage?

      Mid
    • Can you explain OAuth2/OIDC security considerations at a conceptual level?

      Senior
    • Discuss the security considerations and common pitfalls associated with JSON Web Tokens (JWTs), including JWKs/JKUs.

      Senior

    Security Misconfiguration & Headers

    • Why are verbose error messages and stack traces a security misconfiguration risk?

      Junior
    • Can you explain Security Misconfiguration and how to mitigate it?

      Mid
    • Can you explain Security Logging and Monitoring Failures and how to mitigate them?

      Mid
    • How do you ensure the security of APIs?

      Mid
    • Discuss common file upload vulnerabilities and how to securely handle file uploads.

      Mid
    • What should effective security logging and monitoring capture, and what shouldn't be logged?

      Mid
    • Can you explain Software and Data Integrity Failures and how to mitigate them?

      Senior
    • Can you explain Server-Side Request Forgery (SSRF) and its defenses?

      Senior
    • What is business logic abuse, and how would you prevent it in your applications?

      Senior
    • What are some common security concerns and best practices when developing or consuming GraphQL APIs?

      Senior

    Owasp Zap

    • What is OWASP ZAP, and how is it used in application security testing?

      Mid
    • What does OWASP ZAP provide for the two kinds of scanning, passive and active?

      Mid
    • How does spidering work in ZAP, and why is the AJAX spider sometimes needed?

      Mid
    • How would you use ZAP as an intercepting proxy to test a request?

      Mid
    • How do ZAP findings map to the OWASP Top 10?

      Mid

    Authorization & Access Control

    • Can you explain Broken Access Control and how to mitigate it?

      Mid
    • What is Broken Access Control, and what are some common examples of this vulnerability?

      Mid
    • Can you explain Insecure Direct Object References (IDOR) and how they are exploited?

      Mid
    • What is the difference between vertical and horizontal privilege escalation?

      Mid
    • What are Insecure Direct Object References (IDORs) and how do you prevent them?

      Mid
    • What is forced browsing, and how does it relate to broken access control?

      Mid
    • What is missing function-level access control, and how does it differ from IDOR?

      Mid
    • What is the difference between RBAC and ABAC as access-control models, and when would you choose one over the other?

      Senior

    Cross Origin & Request Forgery

    • What is Cross-Site Request Forgery (CSRF), and what methods would you use to mitigate it?

      Mid
    • Describe how CORS preflight requests work and their role in web security.

      Mid
    • What is clickjacking, and how do the X-Frame-Options header and CSP frame-ancestors directive defend against it?

      Mid
    • What is an open redirect vulnerability, and how would you prevent it?

      Mid
    • How does the SameSite cookie attribute work, and how does it help mitigate CSRF?

      Mid
    • What is the Same-Origin Policy, and how does it relate to CORS?

      Mid
    • Can you explain how CORS (Cross-Origin Resource Sharing) works and how it can be misconfigured?

      Senior

    Secure Sdlc & Devsecopstesting

    • What are the advantages of a secure SDLC?

      Junior
    • What's the difference between vulnerability assessment and penetration testing?

      Junior
    • What is the difference between DevOps and DevSecOps?

      Junior
    • What does 'shift security left' mean in the context of a secure SDLC?

      Junior
    • What security measures would you implement in the software development life cycle (SDLC)?

      Mid
    • What are the key differences between static and dynamic application security testing (SAST vs DAST)?

      Mid
    • What are some weaknesses of DAST compared to other security methods?

      Mid
    • How would you ensure secure coding practices within a development team to prevent OWASP vulnerabilities?

      Mid
    • What best practices do you follow for secure code review?

      Mid
    • What are the core principles of DevSecOps?

      Mid
    • What is Static Application Security Testing (SAST), what are its advantages and disadvantages, and when in the SDLC would you typically use it?

      Mid
    • What is application-layer rate limiting and anti-automation, and which attacks does it defend against?

      Mid
    • What is a bug bounty program, and how does responsible/coordinated disclosure work?

      Mid
    • What is the difference between a vulnerability scan, a penetration test, and a red-team engagement?

      Mid
    • How do you choose between SAST, DAST, and SCA, and roll them out at scale?

      Senior
    • How would you prioritize remediating different OWASP vulnerabilities when multiple issues are identified in a web application?

      Senior
    • What are some common security guardrails you would implement in a development pipeline to enforce secure coding practices and configurations?

      Senior
    • What is IAST, and how does it differ from SAST and DAST?

      Senior

    Cross Site Scripting & Client Side

    • What is output encoding and why is it important for preventing XSS?

      Junior
    • What are the differences between stored, reflected, and DOM-based XSS?

      Junior
    • Explain what Content Security Policy (CSP) is, how it works, and how it helps mitigate XSS attacks.

      Mid
    • Can you explain Cross-Site Scripting (XSS) and how you can protect against it?

      Mid
    • Explain DOM-based Cross-Site Scripting (XSS) and how it differs from reflected or stored XSS.

      Mid
    • What is Subresource Integrity (SRI), and how does it protect against compromised third-party scripts?

      Mid
    • What is Web Cache Deception and how can it be exploited or mitigated?

      Senior
    • What is DOM Clobbering and what are its security implications?

      Senior

    Http & Web Protocol Attacks

    • Can you explain directory/path traversal vulnerabilities?

      Mid
    • Can you explain HTTP Strict Transport Security (HSTS)?

      Mid
    • How do you mitigate man-in-the-middle attacks in web applications?

      Mid
    • Explain HTTP Parameter Pollution and its potential impact.

      Mid
    • Can you explain the X-Content-Type-Options, Referrer-Policy, and Permissions-Policy security headers and what each protects against?

      Mid
    • How does HTTP Request Smuggling (e.g., TE.TE) work, and how can it be prevented?

      Senior
    • Describe common vulnerabilities and security best practices for WebSocket communication.

      Senior
    • What is Host header injection, and what kinds of attacks can it enable?

      Senior
    • What is HTTP response splitting, and how does it relate to CRLF injection?

      Senior

    Software Supply Chain

    • Can you explain Vulnerable and Outdated Components and how to mitigate the risk?

      Mid
    • Explain Software Composition Analysis (SCA) and its importance in managing third-party dependencies.

      Mid
    • What is a Software Bill of Materials (SBOM), and why is it important for application security?

      Mid
    • How do you ensure supply chain integrity in your applications, particularly concerning open-source components?

      Senior
    • What is a dependency confusion attack, and how do you defend against it?

      Senior

    Other

    • What is prompt injection and input trust in the context of LLM applications?

      Senior