OWASP Top 10
HTTP Status Code Math
This is APWhy We Can’t Have Nice Things
That's Not How This Works at All
Finish the Poem
Git Happens
100
This category of risk occurs when user input is included directly in a query or command to an interpreter without proper validation or escaping.
What is injection?
100
NOT FOUND plus OK
What is 604?
404 + 200
100
Without this control, attackers can send thousands of requests per second and overwhelm an API.
What is rate limiting?
100
At least one thing is wrong with this GUI Tony Stark uses to hack government systems.
What is the an invalid IP address?
Honestly, there are probably a lot.
100
Its not DNS
There is no way its DNS
_______
What is "It was DNS"
100
The function of the `git init` command
What is set up a new tracked repository?
200
To reduce risk from OWASP #6: Vulnerable and Outdated Components, OWASP recommends using this three letter acronym to identify the open source software is included in your codebase.
What is a Software Composition Analysis (SCA) tool?
200
BAD GATEWAY minus FORBIDDEN
What is 99?
502 - 403
200
A security tool that is deployed in front of your APIs that can improve authentication, filter input, and add logging.
What is an API gateway?
200
In this 90s sci-fi blockbuster, Jeff Goldblum saves humanity by uploading a computer virus to an alien mothership using a laptop which apparently uses alien-compliant drivers and protocols.
What is Independence Day?
200
There once was a man from Nantucket
Who had a allow *:* policy on his S3 ____
What is bucket
200
The command to revert local changes in a specific file and revert it back to the version from the last commit.
What is git checkout -- <file>?
300
How do you pronounce this word
"SIEM"
Audience cheer if this is correct?
300
BAD REQUEST divided by OK
What is 2?
400 / 200
300
This common standard lets APIs and applications act on behalf of a user without ever seeing their password, often using tokens with scopes.
What is OAuth?
300
In this scenario, a hacker cracks a government system in 60 seconds while dubstep plays, bouncing between multiple monitors and GUI hacking tools that look more like WinAmp skins than terminals.
What is any Hollywood hacking montage ever?
300
They sent all the logins in plain text,
A packet sniffer knew what came next;
They skipped over certs and encryption finesse—
They should have used ____.
What is TLS/HTTPS?
300
Some teams stop developers from committing code with secrets or missing tests by running these custom checks before Git accepts the commit.
What is a pre-commit hook?
400
If your app lets users hand it a URL and it says “Sure, I’ll grab that for you!”—you’ve probably built this OWASP #10 vulnerability.
What is Server-Side Request Forgery (SSRF)?
400
REQUEST TIMEOUT divided by 4
What is 102?
408 / 4
400
This advanced authentication mechanism requires both the client and the web server to have valid and accepted TLS certificates for a connection to be valid.
What is mutual TLS (mTLS)?
400
In this 90s spy thriller, a Russian hacker in an arctic bunker knows he has been detected by the FBI when giant yellow lights flash on his screen. He then hacks back against those tracking him by sending them a "spike" attack which allows him to send snarky messages to the FBI.
What is Golden Eye?
400
The sticker on the router’s back,
Spelled “admin / admin” right on the rack;
They skipped MFA and other essentials—
What doomed the box?: ____ ____.
What is default credentials?
400
When you check out a specific commit instead of a branch, you end up here — changes aren’t attached to any branch until you create one.
What is a detached HEAD?
500
To stop cross-site scripting, OWASP recommends setting this HTTP header which limits the resources a browser is able to load for a given page.
What is Content-Security-Policy (CSP)?
500
I’m a teapot
What is 418?
The HTTP 418 I'm a teapot status response code indicates that the server refuses to brew coffee because it is, permanently, a teapot.
500
By flooding an API with requests, an attacker can rack up cloud bills or burn CPU cycles in this costly attack.
What are unbounded consumption or denial of wallet attacks?
500
According to the TV show NCIS, you hack twice as fast through the use of this advanced hacking technique.
What is having two hackers on the same keyboard at the same time?
500
DOUBLE JEOPARDY!
PASSWORD PURGATORY
Enter the following password:
P@ssw0rd_Purg@t0ry_2024!@#$%^&*()_+{}|:</`~
500
Use this command to find the branch that you accidentally deleted. Then flog yourself again as punishment.
What is git reflog?
