A2:2013-BrokenAuthenticationand SessionManagementAPI6:2023 -UnrestrictedAccess toSensitiveBusiness FlowsA8:2017-InsecureDeserializationAPI10:2023 -UnsafeConsumptionof APIsA6:2017-SecurityMisconfigurationA3:2013-Cross-SiteScripting(XSS)API1:2023 -BrokenObject LevelAuthorizationC1:2018-DefineSecurityRequirementsA3:2017-SensitiveDataExposureAPI9:2023 -ImproperInventoryManagementA2:2017-BrokenAuthenticationAPI3:2023 -Broken ObjectPropertyLevelAuthorizationAPI5:2023 -BrokenFunctionLevelAuthorizationA7:2017-Cross-SiteScripting(XSS)C4:2018-Encode andEscapeDataAPI6:2023 -UnrestrictedAccess toSensitiveBusiness FlowsC3:2018-SecureDatabaseAccessAPI4:2023 -UnrestrictedResourceConsumptionA9:2017-UsingComponentswith KnownVulnerabilitiesA7:2013-MissingFunctionLevel AccessControlA4:2013-InsecureDirect ObjectReferencesA6:2013-SensitiveDataExposureA10:2013-UnvalidatedRedirectsandForwardsAPI8:2023 -SecurityMisconfigurationA9:2013-UsingComponentswith KnownVulnerabilitiesC2:2018-LeverageSecurityFrameworksand LibrariesA8:2013-Cross-SiteRequestForgery(CSRF)API2:2023 -BrokenAuthenticationA1:2017-InjectionA5:2017-BrokenAccessControlA4:2017-XMLExternalEntities(XXE)A1:2013-InjectionA10:2017-InsufficientLogging &MonitoringA5:2013-SecurityMisconfigurationA2:2013-BrokenAuthenticationand SessionManagementAPI6:2023 -UnrestrictedAccess toSensitiveBusiness FlowsA8:2017-InsecureDeserializationAPI10:2023 -UnsafeConsumptionof APIsA6:2017-SecurityMisconfigurationA3:2013-Cross-SiteScripting(XSS)API1:2023 -BrokenObject LevelAuthorizationC1:2018-DefineSecurityRequirementsA3:2017-SensitiveDataExposureAPI9:2023 -ImproperInventoryManagementA2:2017-BrokenAuthenticationAPI3:2023 -Broken ObjectPropertyLevelAuthorizationAPI5:2023 -BrokenFunctionLevelAuthorizationA7:2017-Cross-SiteScripting(XSS)C4:2018-Encode andEscapeDataAPI6:2023 -UnrestrictedAccess toSensitiveBusiness FlowsC3:2018-SecureDatabaseAccessAPI4:2023 -UnrestrictedResourceConsumptionA9:2017-UsingComponentswith KnownVulnerabilitiesA7:2013-MissingFunctionLevel AccessControlA4:2013-InsecureDirect ObjectReferencesA6:2013-SensitiveDataExposureA10:2013-UnvalidatedRedirectsandForwardsAPI8:2023 -SecurityMisconfigurationA9:2013-UsingComponentswith KnownVulnerabilitiesC2:2018-LeverageSecurityFrameworksand LibrariesA8:2013-Cross-SiteRequestForgery(CSRF)API2:2023 -BrokenAuthenticationA1:2017-InjectionA5:2017-BrokenAccessControlA4:2017-XMLExternalEntities(XXE)A1:2013-InjectionA10:2017-InsufficientLogging &MonitoringA5:2013-SecurityMisconfiguration

API OWASP Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
  1. A2:2013-Broken Authentication and Session Management
  2. API6:2023 - Unrestricted Access to Sensitive Business Flows
  3. A8:2017-Insecure Deserialization
  4. API10:2023 - Unsafe Consumption of APIs
  5. A6:2017-Security Misconfiguration
  6. A3:2013-Cross-Site Scripting (XSS)
  7. API1:2023 - Broken Object Level Authorization
  8. C1:2018-Define Security Requirements
  9. A3:2017-Sensitive Data Exposure
  10. API9:2023 - Improper Inventory Management
  11. A2:2017-Broken Authentication
  12. API3:2023 - Broken Object Property Level Authorization
  13. API5:2023 - Broken Function Level Authorization
  14. A7:2017-Cross-Site Scripting (XSS)
  15. C4:2018-Encode and Escape Data
  16. API6:2023 - Unrestricted Access to Sensitive Business Flows
  17. C3:2018-Secure Database Access
  18. API4:2023 - Unrestricted Resource Consumption
  19. A9:2017-Using Components with Known Vulnerabilities
  20. A7:2013-Missing Function Level Access Control
  21. A4:2013-Insecure Direct Object References
  22. A6:2013-Sensitive Data Exposure
  23. A10:2013-Unvalidated Redirects and Forwards
  24. API8:2023 - Security Misconfiguration
  25. A9:2013-Using Components with Known Vulnerabilities
  26. C2:2018-Leverage Security Frameworks and Libraries
  27. A8:2013-Cross-Site Request Forgery (CSRF)
  28. API2:2023 - Broken Authentication
  29. A1:2017-Injection
  30. A5:2017-Broken Access Control
  31. A4:2017-XML External Entities (XXE)
  32. A1:2013-Injection
  33. A10:2017-Insufficient Logging & Monitoring
  34. A5:2013-Security Misconfiguration