A6:2013-SensitiveDataExposureA10:2013-UnvalidatedRedirectsandForwardsAPI6:2023 -UnrestrictedAccess toSensitiveBusiness FlowsA9:2017-UsingComponentswith KnownVulnerabilitiesAPI5:2023 -BrokenFunctionLevelAuthorizationC2:2018-LeverageSecurityFrameworksand LibrariesC1:2018-DefineSecurityRequirementsC3:2018-SecureDatabaseAccessAPI1:2023 -BrokenObject LevelAuthorizationA8:2017-InsecureDeserializationAPI4:2023 -UnrestrictedResourceConsumptionAPI8:2023 -SecurityMisconfigurationA6:2017-SecurityMisconfigurationA5:2013-SecurityMisconfigurationAPI9:2023 -ImproperInventoryManagementA3:2017-SensitiveDataExposureA9:2013-UsingComponentswith KnownVulnerabilitiesC4:2018-Encode andEscapeDataA4:2013-InsecureDirect ObjectReferencesA3:2013-Cross-SiteScripting(XSS)A5:2017-BrokenAccessControlAPI10:2023 -UnsafeConsumptionof APIsA1:2013-InjectionA4:2017-XMLExternalEntities(XXE)API2:2023 -BrokenAuthenticationA1:2017-InjectionA2:2013-BrokenAuthenticationand SessionManagementA2:2017-BrokenAuthenticationAPI6:2023 -UnrestrictedAccess toSensitiveBusiness FlowsAPI3:2023 -Broken ObjectPropertyLevelAuthorizationA7:2017-Cross-SiteScripting(XSS)A8:2013-Cross-SiteRequestForgery(CSRF)A10:2017-InsufficientLogging &MonitoringA7:2013-MissingFunctionLevel AccessControlA6:2013-SensitiveDataExposureA10:2013-UnvalidatedRedirectsandForwardsAPI6:2023 -UnrestrictedAccess toSensitiveBusiness FlowsA9:2017-UsingComponentswith KnownVulnerabilitiesAPI5:2023 -BrokenFunctionLevelAuthorizationC2:2018-LeverageSecurityFrameworksand LibrariesC1:2018-DefineSecurityRequirementsC3:2018-SecureDatabaseAccessAPI1:2023 -BrokenObject LevelAuthorizationA8:2017-InsecureDeserializationAPI4:2023 -UnrestrictedResourceConsumptionAPI8:2023 -SecurityMisconfigurationA6:2017-SecurityMisconfigurationA5:2013-SecurityMisconfigurationAPI9:2023 -ImproperInventoryManagementA3:2017-SensitiveDataExposureA9:2013-UsingComponentswith KnownVulnerabilitiesC4:2018-Encode andEscapeDataA4:2013-InsecureDirect ObjectReferencesA3:2013-Cross-SiteScripting(XSS)A5:2017-BrokenAccessControlAPI10:2023 -UnsafeConsumptionof APIsA1:2013-InjectionA4:2017-XMLExternalEntities(XXE)API2:2023 -BrokenAuthenticationA1:2017-InjectionA2:2013-BrokenAuthenticationand SessionManagementA2:2017-BrokenAuthenticationAPI6:2023 -UnrestrictedAccess toSensitiveBusiness FlowsAPI3:2023 -Broken ObjectPropertyLevelAuthorizationA7:2017-Cross-SiteScripting(XSS)A8:2013-Cross-SiteRequestForgery(CSRF)A10:2017-InsufficientLogging &MonitoringA7:2013-MissingFunctionLevel AccessControl

API OWASP Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
  1. A6:2013-Sensitive Data Exposure
  2. A10:2013-Unvalidated Redirects and Forwards
  3. API6:2023 - Unrestricted Access to Sensitive Business Flows
  4. A9:2017-Using Components with Known Vulnerabilities
  5. API5:2023 - Broken Function Level Authorization
  6. C2:2018-Leverage Security Frameworks and Libraries
  7. C1:2018-Define Security Requirements
  8. C3:2018-Secure Database Access
  9. API1:2023 - Broken Object Level Authorization
  10. A8:2017-Insecure Deserialization
  11. API4:2023 - Unrestricted Resource Consumption
  12. API8:2023 - Security Misconfiguration
  13. A6:2017-Security Misconfiguration
  14. A5:2013-Security Misconfiguration
  15. API9:2023 - Improper Inventory Management
  16. A3:2017-Sensitive Data Exposure
  17. A9:2013-Using Components with Known Vulnerabilities
  18. C4:2018-Encode and Escape Data
  19. A4:2013-Insecure Direct Object References
  20. A3:2013-Cross-Site Scripting (XSS)
  21. A5:2017-Broken Access Control
  22. API10:2023 - Unsafe Consumption of APIs
  23. A1:2013-Injection
  24. A4:2017-XML External Entities (XXE)
  25. API2:2023 - Broken Authentication
  26. A1:2017-Injection
  27. A2:2013-Broken Authentication and Session Management
  28. A2:2017-Broken Authentication
  29. API6:2023 - Unrestricted Access to Sensitive Business Flows
  30. API3:2023 - Broken Object Property Level Authorization
  31. A7:2017-Cross-Site Scripting (XSS)
  32. A8:2013-Cross-Site Request Forgery (CSRF)
  33. A10:2017-Insufficient Logging & Monitoring
  34. A7:2013-Missing Function Level Access Control