Appsec Jeopardy 2025

OWASP Top 10

HTTP Status Code Math

This is APWhy We Can’t Have Nice Things

That's Not How This Works at All

Finish the Poem

Git Happens

100

To reduce risk from A06:2021 – Vulnerable and Outdated Components, OWASP recommends using this kind of tool to track dependencies and their versions.

What is a Software Composition Analysis (SCA) tool

100

File not found + OK

What is 604?

404 + 200

100

Without this control, attackers can send thousands of requests per second and overwhelm an API.

What is rate limiting?

100

This view of what Tony Stark hacking government systems looks like.

What is the an invalid IP address?

Honestly, there are probably a lot.

100

Its not DNS

There is no way its DNS

_______

What is "It was DNS"

100

The function of the `git init` command

What is set up a new tracked repository?

200

To know when an attacker is exfiltrating your data, you need to have this type of security measure in place.

What is Security Monitoring A09:2021-Security Logging and Monitoring Failures?

200

Bad gateway - forbidden

What is 99?

502 - 403

200

This common framework lets applications act on behalf of a user without ever seeing their password, often using tokens with scopes.

What is OAuth?

200

In this 90s sci-fi blockbuster, Jeff Goldblum saves humanity by uploading a computer virus to an alien mothership using a laptop which apparently uses alien-compliant drivers and protocols.

What is Independence Day?

200

There once was a man from Nantucket
Who had a allow *:* policy on his S3 ____

What is bucket

200

You are rushing to push an emergency fix out to production on the main branch, but you forgot that your local version is behind. This command throws away all the previous changes on the main branch and replaces it with yours.

What is git push --force?

300

To stop cross-site scripting (A03:2021 – Injection), OWASP recommends output encoding and setting this HTTP header to limit script sources.

What is Content-Security-Policy (CSP)

300

Bad request / OK

What is 2?

400 / 200

300

This vulnerability exists when an API uses simple, often numeric, IDs for objects, such as user/101. Attackers write scripts to guess similar IDs and may get valid responses when authorization isn’t properly enforced.

What is Insecure Direct Object Reference (IDOR)?

300

In this scenario, a hacker cracks a government system in 60 seconds while dubstep plays, bouncing between multiple monitors and GUI hacking tools that look more like WinAmp skins than terminals.

What is any Hollywood hacking montage ever?

300

They sent all the logins in plain text,

A packet sniffer knew what came next;

They skipped over certs and encryption finesse—

They should have used ____.

What is TLS/HTTPS?

300

Some teams stop developers from committing code with secrets or missing tests by running these custom checks before Git accepts the commit.

What is a pre-commit hook?

400

The correct way to pronounce this word:

SEIM

Audience cheer for your preferred pronunciation!

400

Request timeout / 4

What is 102?

408 / 4

400

If your API accepts user input and then makes internal HTTP requests based on that input, you might be vulnerable to this dangerous vulnerability that can target internal service

What is Server-Side Request Forgery (SSRF)?

400

In this 90s spy thriller, a hacker is thwarted by a countermeasure visualized as a polygonal “spike” racing across a 3D interface. The system apparently lacks real intrusion detection but does feature dramatic GUI animation and believes rapid typing is a valid defense strategy.

What is Golden Eye?

400

The sticker on the router’s back,

Spelled “admin / admin” right on the rack;

They skipped MFA and other essentials—

What doomed the box?: ____ ____.

What is default credentials?

400

When you check out a specific commit instead of a branch, you end up here — changes aren’t attached to any branch until you create one.

What is a detached HEAD?

500

Attackers often target this link-local address (169.254.169.254) to steal cloud metadata in this type of vulnerability.

What is A10:2021 - Server-Side Request Forgery (SSRF)

500

I’m a teapot

The requested entity body is short and stout.

What is 418?

The HTTP 418 I'm a teapot status response code indicates that the server refuses to brew coffee because it is, permanently, a teapot.

Defined in RFC 2324 formally reserved in RFC 9110

500

This advanced authentication mechanism requires both the client and the web server to have valid and accepted TLS certificates for a connection to be valid.

What is mutual TLS (mTLS)?

500

According to the TV show NCIS, you hack twice as fast through the use of this advanced hacking technique.

What is having two hackers on the same keyboard at the same time?

500

Use this command to find the branch that you accidentally deleted. Then flog yourself again as punishment.

What is git reflog?