Security
OWASP Top 10: multiple-choice review
Crux Multiple-choice synthesis across the OWASP Top 10 (2021) — access control, crypto, injection, insecure design, SSRF, and misconfiguration as decisions you make in a real review.
Your altitude — climbing toward senior
ZeroJuniorMiddleSenior
You are at senior altitude — in orbitSix questions that cut across the whole Top 10. Each one mirrors a call you make in a real security review — not a definition to recite, but a root cause to name and the fix a senior would reach for first.
Goal
Confirm you can connect the 2021 categories to the way apps actually break: which root cause a finding maps to, why the ranking moved, and what the durable fix is rather than the bolt-on.
Quiz
Completed
An endpoint runs SELECT * FROM invoices WHERE id = ? with the id taken from the URL and bound as a parameter. A user edits the id and reads a stranger's invoice. Which category is this, and why is it NOT injection?
Heads-up The id is bound as a parameter, so it is data, not code; nothing is injected. The defect is a missing authorization check on the row, which is A01, not A03.
Heads-up Encryption at rest protects against a stolen disk, not against an authorized session reading a row it should not. The missing thing is an ownership check, not a cipher.
Heads-up A syntactically valid request that returns another user's data is the textbook IDOR shape of Broken Access Control, the #1 category in 2021.
Quiz
Completed
Why did the 2021 list rename 'Sensitive Data Exposure' to 'Cryptographic Failures', and what does that reframing change in practice?
Heads-up Exposure did not go away; the rename is about categorizing by cause so the fix is actionable, not about the risk disappearing.
Heads-up Data leaks through broken access control, misconfiguration, and more. The rename targets the crypto-related subset by its cause, not a claim that crypto is the sole path.
Heads-up The change is methodological — the whole 2021 list was reorganized around root causes vs symptoms — not cosmetic or audit-driven.
Quiz
Completed
A checkout flow accepts the item price from the client and charges that amount. There is no injection, no auth bug, and TLS is on. A reviewer still flags it. Which category, and why can't you patch your way out?
Heads-up The price is not being interpreted as code, so there is nothing to sanitize. The flaw is that an authoritative value is taken from an untrusted source — a design defect, A04.
Heads-up No misconfigured setting is involved; the application was built to trust the client price. That is an architectural decision, which is A04 Insecure Design.
Heads-up Anything the client sends is attacker-controllable via the console or a proxy. Authoritative values like price must be derived server-side.
Quiz
Completed
SSRF (A10) maps to roughly a single CWE and had almost no historical incidence data, yet it ranked in 2021. What does its inclusion tell you about how to read the Top 10?
Heads-up It is the opposite — SSRF had almost no historical data and maps about one CWE. It ranked via the practitioner survey, which is exactly why its inclusion is notable.
Heads-up The methodology deliberately reserves two slots for survey-voted risks precisely so the list is not limited to what tooling already measures well.
Heads-up SSRF is the server being tricked into requesting an attacker-chosen URL — distinct from injecting code into an interpreter. Its own slot reflects a distinct root cause.
Quiz
Completed
A non-admin sends POST /api/admin/users/7/promote directly with curl and it succeeds — the only 'check' was that the admin button is hidden in their UI. Category and fix?
Heads-up The route is supposed to exist; the defect is that it does not verify the caller's role. That is a missing authorization check (A01), not a misconfigured setting.
Heads-up A signature proves the message was not tampered with, not that this caller may promote a user. The missing piece is a server-side role check.
Heads-up Shared endpoints are normal; the bug is that authorization is never enforced, so a non-admin reaching it directly succeeds.
Quiz
Completed
A service ships a known-vulnerable version of a logging library (a Log4Shell-class CVE) and returns stack traces to clients with full framework versions. Which two categories are in play, and which is the higher-leverage fix?
Heads-up Log4Shell-class bugs do involve untrusted input reaching an interpreter, but OWASP classes the 'we shipped a known-vulnerable dependency' problem as A06; the verbose stack traces are separately A05.
Heads-up Hiding stack traces alone leaves the exploitable CVE live. The dependency upgrade is the load-bearing fix; suppressing errors is hardening on top.
Heads-up A06 exists precisely because your dependencies' CVEs are your CVEs in production; you own the upgrade and the SBOM.
Recap
The through-line is reading a finding back to its root cause: a parameterized query that still leaks rows is access control, not injection; a renamed category points at cause over symptom; a trusted client price is insecure design no filter can fix; SSRF earned its slot by practitioner vote, not data; hidden UI is never authorization; and a vulnerable dependency plus verbose errors are two categories where the patch outranks the hardening. Spend rigor where expected damage is highest — access control first — and always prefer the root-cause fix over the bolt-on.