Secure Dependencies
The acronym SCA stands for this practice of analyzing your third-party components (like npm or pip packages) for vulnerabilities.
What is software composition analysis?
The "S" in HTTPS, this protocol provides the encryption layer for HTTP.
What is TLS? Transport Layer Security
These cookie attributes restrict when the browser attaches the cookie when browsing the web.
What is domain or path?
This vulnerability, often number one on the OWASP list, allows an attacker to send hostile data to an interpreter, such as a database or the browser.
What is Injection?
This massive hacker conference, held in Las Vegas annually, is known for its Capture the Flag (CTF) competition and distinct "badges."
What is DEFCON?
This is a formal inventory of all the open-source libraries and versions used in your application.
What is a software bill of materials?
This HTTP status code, often misconfigured, might leak information about whether a username or just a password was incorrect.
What are 404 or 401 status codes?
This is the section of the Http request that includes cookie values?
What is the cookie header?
This flaw occurs when an application improperly manages session credentials or user identity.
What is broken authentication?
This former NSA contractor leaked a massive trove of classified documents in 2013, revealing global surveillance programs.
Who is Edward Snowden?
An attack where a hacker compromises a legitimate, popular package and adds malicious code to a new version, which is then downloaded by thousands of apps.
What is a supply chain attack?
This http method should not be used to modify state
What is GET?
This cookie flag prevents client-side JavaScript (e.g., document.cookie) from accessing the cookie, which is a key defense against XSS.
This vulnerability arises from not properly restricting what a user is allowed to do, letting them access other users' data or admin functions.
What is broken access control? (Authorization)
Once the FBI's "most wanted computer criminal," this famous social engineer was arrested in 1995 and later became a well-known security consultant and author.
Who is Kevin Mitnick?
An attack where a hacker uploads a malicious package named requestss or djanga hoping a developer will make a typo during npm install.
What is typosquatting?
This security header, HSTS, instructs the browser to only communicate with the server over HTTPS, preventing SSL stripping attacks.
What is Strict Transport Security?
This cookie flag ensures the browser will only send the cookie over an HTTPS connection.
What is the Secure flag?
This category was newly added in the 2021 OWASP Top 10. This vulnerability tricks a server into making a network request on the attacker's behalf, often to scan the internal network or query cloud metadata.
What is SSRF? (Server Side Request Forgery)
This "bug bounty" program, run at conferences, offers large cash prizes to researchers who can successfully demonstrate zero-day exploits against popular software and hardware, often "owning" devices.
This advanced attack tricks a build system by publishing a public package (e.g., on npm) with the same name as an internal-only private package.
What is dependency confusion?
This outdated security protocol was used in the secure transfer of http requests and was replaced by TLS.
What is SSL? (Secure Sockets Layer)
This cookie attribute (with values Strict or Lax) is the primary browser-level defense against Cross-Site Request Forgery (CSRF).
What is the Same-site attribute?
This category, new in 2021, describes flaws in an application's architecture (like business logic) that create security risks, even if the code itself has no "bugs."
This open-source framework, now owned by Rapid7, is an essential tool for penetration testers, providing a vast database of exploits and payloads.
What is the Metasploit Framework?