C1:2018-DefineSecurityRequirementsA7:2017-Cross-SiteScripting(XSS)A10:2017-InsufficientLogging &MonitoringA8:2017-InsecureDeserializationAPI10:2023 -UnsafeConsumptionof APIsC2:2018-LeverageSecurityFrameworksand LibrariesA7:2013-MissingFunctionLevel AccessControlA9:2013-UsingComponentswith KnownVulnerabilitiesA1:2017-InjectionAPI1:2023 -BrokenObject LevelAuthorizationAPI5:2023 -BrokenFunctionLevelAuthorizationA4:2013-InsecureDirect ObjectReferencesAPI8:2023 -SecurityMisconfigurationA8:2013-Cross-SiteRequestForgery(CSRF)A2:2017-BrokenAuthenticationA1:2013-InjectionA6:2017-SecurityMisconfigurationA3:2013-Cross-SiteScripting(XSS)API3:2023 -Broken ObjectPropertyLevelAuthorizationA4:2017-XMLExternalEntities(XXE)A3:2017-SensitiveDataExposureAPI6:2023 -UnrestrictedAccess toSensitiveBusiness FlowsA2:2013-BrokenAuthenticationand SessionManagementAPI2:2023 -BrokenAuthenticationA9:2017-UsingComponentswith KnownVulnerabilitiesA5:2013-SecurityMisconfigurationAPI4:2023 -UnrestrictedResourceConsumptionC4:2018-Encode andEscapeDataA6:2013-SensitiveDataExposureA5:2017-BrokenAccessControlA10:2013-UnvalidatedRedirectsandForwardsC3:2018-SecureDatabaseAccessAPI9:2023 -ImproperInventoryManagementAPI6:2023 -UnrestrictedAccess toSensitiveBusiness FlowsC1:2018-DefineSecurityRequirementsA7:2017-Cross-SiteScripting(XSS)A10:2017-InsufficientLogging &MonitoringA8:2017-InsecureDeserializationAPI10:2023 -UnsafeConsumptionof APIsC2:2018-LeverageSecurityFrameworksand LibrariesA7:2013-MissingFunctionLevel AccessControlA9:2013-UsingComponentswith KnownVulnerabilitiesA1:2017-InjectionAPI1:2023 -BrokenObject LevelAuthorizationAPI5:2023 -BrokenFunctionLevelAuthorizationA4:2013-InsecureDirect ObjectReferencesAPI8:2023 -SecurityMisconfigurationA8:2013-Cross-SiteRequestForgery(CSRF)A2:2017-BrokenAuthenticationA1:2013-InjectionA6:2017-SecurityMisconfigurationA3:2013-Cross-SiteScripting(XSS)API3:2023 -Broken ObjectPropertyLevelAuthorizationA4:2017-XMLExternalEntities(XXE)A3:2017-SensitiveDataExposureAPI6:2023 -UnrestrictedAccess toSensitiveBusiness FlowsA2:2013-BrokenAuthenticationand SessionManagementAPI2:2023 -BrokenAuthenticationA9:2017-UsingComponentswith KnownVulnerabilitiesA5:2013-SecurityMisconfigurationAPI4:2023 -UnrestrictedResourceConsumptionC4:2018-Encode andEscapeDataA6:2013-SensitiveDataExposureA5:2017-BrokenAccessControlA10:2013-UnvalidatedRedirectsandForwardsC3:2018-SecureDatabaseAccessAPI9:2023 -ImproperInventoryManagementAPI6:2023 -UnrestrictedAccess toSensitiveBusiness Flows

API OWASP Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
  1. C1:2018-Define Security Requirements
  2. A7:2017-Cross-Site Scripting (XSS)
  3. A10:2017-Insufficient Logging & Monitoring
  4. A8:2017-Insecure Deserialization
  5. API10:2023 - Unsafe Consumption of APIs
  6. C2:2018-Leverage Security Frameworks and Libraries
  7. A7:2013-Missing Function Level Access Control
  8. A9:2013-Using Components with Known Vulnerabilities
  9. A1:2017-Injection
  10. API1:2023 - Broken Object Level Authorization
  11. API5:2023 - Broken Function Level Authorization
  12. A4:2013-Insecure Direct Object References
  13. API8:2023 - Security Misconfiguration
  14. A8:2013-Cross-Site Request Forgery (CSRF)
  15. A2:2017-Broken Authentication
  16. A1:2013-Injection
  17. A6:2017-Security Misconfiguration
  18. A3:2013-Cross-Site Scripting (XSS)
  19. API3:2023 - Broken Object Property Level Authorization
  20. A4:2017-XML External Entities (XXE)
  21. A3:2017-Sensitive Data Exposure
  22. API6:2023 - Unrestricted Access to Sensitive Business Flows
  23. A2:2013-Broken Authentication and Session Management
  24. API2:2023 - Broken Authentication
  25. A9:2017-Using Components with Known Vulnerabilities
  26. A5:2013-Security Misconfiguration
  27. API4:2023 - Unrestricted Resource Consumption
  28. C4:2018-Encode and Escape Data
  29. A6:2013-Sensitive Data Exposure
  30. A5:2017-Broken Access Control
  31. A10:2013-Unvalidated Redirects and Forwards
  32. C3:2018-Secure Database Access
  33. API9:2023 - Improper Inventory Management
  34. API6:2023 - Unrestricted Access to Sensitive Business Flows