C5:2018-ValidateAll InputsA6:2013-SensitiveDataExposureA5:2017-BrokenAccessControlA2:2013-BrokenAuthenticationand SessionManagementA6:2017-SecurityMisconfigurationC9:2018-ImplementSecurityLogging andMonitoringA4:2017-XMLExternalEntities(XXE)C1:2018-DefineSecurityRequirementsC2:2018-LeverageSecurityFrameworksand LibrariesA5:2013-SecurityMisconfigurationA2:2017-BrokenAuthenticationA10:2013-UnvalidatedRedirectsandForwardsA8:2013-Cross-SiteRequestForgery(CSRF)A4:2013-InsecureDirect ObjectReferencesA1:2013-InjectionA3:2017-SensitiveDataExposureA1:2017-InjectionC10:2018-Handle allErrors andExceptionsA9:2013-UsingComponentswith KnownVulnerabilitiesC6:2018-ImplementDigitalIdentityA9:2017-UsingComponentswith KnownVulnerabilitiesA7:2017-Cross-SiteScripting(XSS)A3:2013-Cross-SiteScripting(XSS)C7:2018-EnforceAccessControlsC8:2018-ProtectDataEverywhereC4:2018-Encode andEscape DataA7:2013-MissingFunctionLevel AccessControlA10:2017-InsufficientLogging &MonitoringC3:2018-SecureDatabaseAccessA8:2017-InsecureDeserializationC5:2018-ValidateAll InputsA6:2013-SensitiveDataExposureA5:2017-BrokenAccessControlA2:2013-BrokenAuthenticationand SessionManagementA6:2017-SecurityMisconfigurationC9:2018-ImplementSecurityLogging andMonitoringA4:2017-XMLExternalEntities(XXE)C1:2018-DefineSecurityRequirementsC2:2018-LeverageSecurityFrameworksand LibrariesA5:2013-SecurityMisconfigurationA2:2017-BrokenAuthenticationA10:2013-UnvalidatedRedirectsandForwardsA8:2013-Cross-SiteRequestForgery(CSRF)A4:2013-InsecureDirect ObjectReferencesA1:2013-InjectionA3:2017-SensitiveDataExposureA1:2017-InjectionC10:2018-Handle allErrors andExceptionsA9:2013-UsingComponentswith KnownVulnerabilitiesC6:2018-ImplementDigitalIdentityA9:2017-UsingComponentswith KnownVulnerabilitiesA7:2017-Cross-SiteScripting(XSS)A3:2013-Cross-SiteScripting(XSS)C7:2018-EnforceAccessControlsC8:2018-ProtectDataEverywhereC4:2018-Encode andEscape DataA7:2013-MissingFunctionLevel AccessControlA10:2017-InsufficientLogging &MonitoringC3:2018-SecureDatabaseAccessA8:2017-InsecureDeserialization

Stash OWASP Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
  1. C5:2018-Validate All Inputs
  2. A6:2013-Sensitive Data Exposure
  3. A5:2017-Broken Access Control
  4. A2:2013-Broken Authentication and Session Management
  5. A6:2017-Security Misconfiguration
  6. C9:2018-Implement Security Logging and Monitoring
  7. A4:2017-XML External Entities (XXE)
  8. C1:2018-Define Security Requirements
  9. C2:2018-Leverage Security Frameworks and Libraries
  10. A5:2013-Security Misconfiguration
  11. A2:2017-Broken Authentication
  12. A10:2013-Unvalidated Redirects and Forwards
  13. A8:2013-Cross-Site Request Forgery (CSRF)
  14. A4:2013-Insecure Direct Object References
  15. A1:2013-Injection
  16. A3:2017-Sensitive Data Exposure
  17. A1:2017-Injection
  18. C10:2018-Handle all Errors and Exceptions
  19. A9:2013-Using Components with Known Vulnerabilities
  20. C6:2018-Implement Digital Identity
  21. A9:2017-Using Components with Known Vulnerabilities
  22. A7:2017-Cross-Site Scripting (XSS)
  23. A3:2013-Cross-Site Scripting (XSS)
  24. C7:2018-Enforce Access Controls
  25. C8:2018-Protect Data Everywhere
  26. C4:2018-Encode and Escape Data
  27. A7:2013-Missing Function Level Access Control
  28. A10:2017-Insufficient Logging & Monitoring
  29. C3:2018-Secure Database Access
  30. A8:2017-Insecure Deserialization