A3:2017-SensitiveDataExposureAPI8:2023 -SecurityMisconfigurationA7:2017-Cross-SiteScripting(XSS)A3:2013-Cross-SiteScripting(XSS)API1:2023 -BrokenObject LevelAuthorizationA6:2017-SecurityMisconfigurationAPI5:2023 -BrokenFunctionLevelAuthorizationA5:2013-SecurityMisconfigurationA10:2013-UnvalidatedRedirectsandForwardsA4:2013-InsecureDirect ObjectReferencesAPI2:2023 -BrokenAuthenticationAPI4:2023 -UnrestrictedResourceConsumptionA2:2013-BrokenAuthenticationand SessionManagementC3:2018-SecureDatabaseAccessA5:2017-BrokenAccessControlA9:2013-UsingComponentswith KnownVulnerabilitiesAPI6:2023 -UnrestrictedAccess toSensitiveBusiness FlowsA1:2013-InjectionA9:2017-UsingComponentswith KnownVulnerabilitiesAPI6:2023 -UnrestrictedAccess toSensitiveBusiness FlowsA2:2017-BrokenAuthenticationAPI9:2023 -ImproperInventoryManagementA10:2017-InsufficientLogging &MonitoringA7:2013-MissingFunctionLevel AccessControlA4:2017-XMLExternalEntities(XXE)A1:2017-InjectionC1:2018-DefineSecurityRequirementsA8:2017-InsecureDeserializationAPI10:2023 -UnsafeConsumptionof APIsC4:2018-Encode andEscapeDataAPI3:2023 -Broken ObjectPropertyLevelAuthorizationC2:2018-LeverageSecurityFrameworksand LibrariesA8:2013-Cross-SiteRequestForgery(CSRF)A6:2013-SensitiveDataExposureA3:2017-SensitiveDataExposureAPI8:2023 -SecurityMisconfigurationA7:2017-Cross-SiteScripting(XSS)A3:2013-Cross-SiteScripting(XSS)API1:2023 -BrokenObject LevelAuthorizationA6:2017-SecurityMisconfigurationAPI5:2023 -BrokenFunctionLevelAuthorizationA5:2013-SecurityMisconfigurationA10:2013-UnvalidatedRedirectsandForwardsA4:2013-InsecureDirect ObjectReferencesAPI2:2023 -BrokenAuthenticationAPI4:2023 -UnrestrictedResourceConsumptionA2:2013-BrokenAuthenticationand SessionManagementC3:2018-SecureDatabaseAccessA5:2017-BrokenAccessControlA9:2013-UsingComponentswith KnownVulnerabilitiesAPI6:2023 -UnrestrictedAccess toSensitiveBusiness FlowsA1:2013-InjectionA9:2017-UsingComponentswith KnownVulnerabilitiesAPI6:2023 -UnrestrictedAccess toSensitiveBusiness FlowsA2:2017-BrokenAuthenticationAPI9:2023 -ImproperInventoryManagementA10:2017-InsufficientLogging &MonitoringA7:2013-MissingFunctionLevel AccessControlA4:2017-XMLExternalEntities(XXE)A1:2017-InjectionC1:2018-DefineSecurityRequirementsA8:2017-InsecureDeserializationAPI10:2023 -UnsafeConsumptionof APIsC4:2018-Encode andEscapeDataAPI3:2023 -Broken ObjectPropertyLevelAuthorizationC2:2018-LeverageSecurityFrameworksand LibrariesA8:2013-Cross-SiteRequestForgery(CSRF)A6:2013-SensitiveDataExposure

API OWASP Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
  1. A3:2017-Sensitive Data Exposure
  2. API8:2023 - Security Misconfiguration
  3. A7:2017-Cross-Site Scripting (XSS)
  4. A3:2013-Cross-Site Scripting (XSS)
  5. API1:2023 - Broken Object Level Authorization
  6. A6:2017-Security Misconfiguration
  7. API5:2023 - Broken Function Level Authorization
  8. A5:2013-Security Misconfiguration
  9. A10:2013-Unvalidated Redirects and Forwards
  10. A4:2013-Insecure Direct Object References
  11. API2:2023 - Broken Authentication
  12. API4:2023 - Unrestricted Resource Consumption
  13. A2:2013-Broken Authentication and Session Management
  14. C3:2018-Secure Database Access
  15. A5:2017-Broken Access Control
  16. A9:2013-Using Components with Known Vulnerabilities
  17. API6:2023 - Unrestricted Access to Sensitive Business Flows
  18. A1:2013-Injection
  19. A9:2017-Using Components with Known Vulnerabilities
  20. API6:2023 - Unrestricted Access to Sensitive Business Flows
  21. A2:2017-Broken Authentication
  22. API9:2023 - Improper Inventory Management
  23. A10:2017-Insufficient Logging & Monitoring
  24. A7:2013-Missing Function Level Access Control
  25. A4:2017-XML External Entities (XXE)
  26. A1:2017-Injection
  27. C1:2018-Define Security Requirements
  28. A8:2017-Insecure Deserialization
  29. API10:2023 - Unsafe Consumption of APIs
  30. C4:2018-Encode and Escape Data
  31. API3:2023 - Broken Object Property Level Authorization
  32. C2:2018-Leverage Security Frameworks and Libraries
  33. A8:2013-Cross-Site Request Forgery (CSRF)
  34. A6:2013-Sensitive Data Exposure