A2:2013-BrokenAuthenticationand SessionManagementA5:2017-BrokenAccessControlA2:2017-BrokenAuthenticationAPI6:2023 -UnrestrictedAccess toSensitiveBusiness FlowsA10:2013-UnvalidatedRedirectsandForwardsA4:2013-InsecureDirect ObjectReferencesA3:2017-SensitiveDataExposureA8:2013-Cross-SiteRequestForgery(CSRF)A9:2013-UsingComponentswith KnownVulnerabilitiesAPI1:2023 -BrokenObject LevelAuthorizationA9:2017-UsingComponentswith KnownVulnerabilitiesA7:2013-MissingFunctionLevel AccessControlA1:2013-InjectionA4:2017-XMLExternalEntities(XXE)A1:2017-InjectionC3:2018-SecureDatabaseAccessAPI8:2023 -SecurityMisconfigurationAPI3:2023 -Broken ObjectPropertyLevelAuthorizationA5:2013-SecurityMisconfigurationC2:2018-LeverageSecurityFrameworksand LibrariesA8:2017-InsecureDeserializationAPI5:2023 -BrokenFunctionLevelAuthorizationAPI9:2023 -ImproperInventoryManagementAPI10:2023 -UnsafeConsumptionof APIsA10:2017-InsufficientLogging &MonitoringC4:2018-Encode andEscapeDataA3:2013-Cross-SiteScripting(XSS)API6:2023 -UnrestrictedAccess toSensitiveBusiness FlowsAPI4:2023 -UnrestrictedResourceConsumptionAPI2:2023 -BrokenAuthenticationA7:2017-Cross-SiteScripting(XSS)C1:2018-DefineSecurityRequirementsA6:2017-SecurityMisconfigurationA6:2013-SensitiveDataExposureA2:2013-BrokenAuthenticationand SessionManagementA5:2017-BrokenAccessControlA2:2017-BrokenAuthenticationAPI6:2023 -UnrestrictedAccess toSensitiveBusiness FlowsA10:2013-UnvalidatedRedirectsandForwardsA4:2013-InsecureDirect ObjectReferencesA3:2017-SensitiveDataExposureA8:2013-Cross-SiteRequestForgery(CSRF)A9:2013-UsingComponentswith KnownVulnerabilitiesAPI1:2023 -BrokenObject LevelAuthorizationA9:2017-UsingComponentswith KnownVulnerabilitiesA7:2013-MissingFunctionLevel AccessControlA1:2013-InjectionA4:2017-XMLExternalEntities(XXE)A1:2017-InjectionC3:2018-SecureDatabaseAccessAPI8:2023 -SecurityMisconfigurationAPI3:2023 -Broken ObjectPropertyLevelAuthorizationA5:2013-SecurityMisconfigurationC2:2018-LeverageSecurityFrameworksand LibrariesA8:2017-InsecureDeserializationAPI5:2023 -BrokenFunctionLevelAuthorizationAPI9:2023 -ImproperInventoryManagementAPI10:2023 -UnsafeConsumptionof APIsA10:2017-InsufficientLogging &MonitoringC4:2018-Encode andEscapeDataA3:2013-Cross-SiteScripting(XSS)API6:2023 -UnrestrictedAccess toSensitiveBusiness FlowsAPI4:2023 -UnrestrictedResourceConsumptionAPI2:2023 -BrokenAuthenticationA7:2017-Cross-SiteScripting(XSS)C1:2018-DefineSecurityRequirementsA6:2017-SecurityMisconfigurationA6:2013-SensitiveDataExposure

API OWASP Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
  1. A2:2013-Broken Authentication and Session Management
  2. A5:2017-Broken Access Control
  3. A2:2017-Broken Authentication
  4. API6:2023 - Unrestricted Access to Sensitive Business Flows
  5. A10:2013-Unvalidated Redirects and Forwards
  6. A4:2013-Insecure Direct Object References
  7. A3:2017-Sensitive Data Exposure
  8. A8:2013-Cross-Site Request Forgery (CSRF)
  9. A9:2013-Using Components with Known Vulnerabilities
  10. API1:2023 - Broken Object Level Authorization
  11. A9:2017-Using Components with Known Vulnerabilities
  12. A7:2013-Missing Function Level Access Control
  13. A1:2013-Injection
  14. A4:2017-XML External Entities (XXE)
  15. A1:2017-Injection
  16. C3:2018-Secure Database Access
  17. API8:2023 - Security Misconfiguration
  18. API3:2023 - Broken Object Property Level Authorization
  19. A5:2013-Security Misconfiguration
  20. C2:2018-Leverage Security Frameworks and Libraries
  21. A8:2017-Insecure Deserialization
  22. API5:2023 - Broken Function Level Authorization
  23. API9:2023 - Improper Inventory Management
  24. API10:2023 - Unsafe Consumption of APIs
  25. A10:2017-Insufficient Logging & Monitoring
  26. C4:2018-Encode and Escape Data
  27. A3:2013-Cross-Site Scripting (XSS)
  28. API6:2023 - Unrestricted Access to Sensitive Business Flows
  29. API4:2023 - Unrestricted Resource Consumption
  30. API2:2023 - Broken Authentication
  31. A7:2017-Cross-Site Scripting (XSS)
  32. C1:2018-Define Security Requirements
  33. A6:2017-Security Misconfiguration
  34. A6:2013-Sensitive Data Exposure