Back to the full dot-point answer
NSWSoftware EngineeringQuick questions
Module 1: Secure Software Architecture
Quick questions on OWASP Top 10 explained: HSC Software Engineering Module 1
15short Q&A pairs drawn directly from our worked dot-point answer. For full context and worked exam questions, read the parent dot-point page.
What is a01?Show answer
Users can access resources or perform actions they should not. Example: changing /api/users/123/profile to /api/users/124/profile returns another user's data because the server only checks login, not ownership.
What is a02?Show answer
Sensitive data is exposed because it was not encrypted properly. Example: passwords stored as plain text or with MD5, payment data sent over HTTP.
What is a03?Show answer
Untrusted input is interpreted as code. SQL injection is the headline example, but command injection, LDAP injection, and template injection are all in this category.
What is a04?Show answer
Security flaws baked in at the design stage that no amount of code review can fix. Example: a "password reset" flow that sends the user's current password by email.
What is a05?Show answer
Default credentials, unnecessary services left on, verbose error messages exposing stack traces. Example: a production database with the default admin password.
What is a06?Show answer
Using a library with a known CVE (Common Vulnerabilities and Exposures). Example: Log4j 2.14 (Log4Shell).
What is a07?Show answer
Weak or missing authentication: brute-forceable login, no MFA, predictable session IDs.
What is a08?Show answer
Trusting code or data without verifying its integrity. Example: pulling an auto-update from an unsigned source, deserialising untrusted data.
What is a09?Show answer
The system does not log enough to detect or investigate attacks. Example: no record of failed logins, no alert on a thousand-per-second login attempt.
What is a10?Show answer
The server makes outbound requests based on user input, allowing an attacker to reach internal services. Example: a "preview this URL" feature that fetches http://localhost/admin.
What is a worked SQL injection example?Show answer
A vulnerable query (do not write this):
What is mitigation?Show answer
enforce authorisation on every endpoint with object-level checks. Deny by default. Test with unauthorised, low-privilege, and high-privilege accounts.
What is a03 Injection?Show answer
an attacker submits a script tag as feedback, which then executes in the browser of any admin who reads the queue. Mitigation: HTML-encode all user input when rendering.
What is a01 Broken Access Control?Show answer
a student crafts a request to view another student's submitted feedback. Mitigation: every endpoint checks the requester is the owner of the resource.
What is a07 Authentication Failure?Show answer
the form is open to anonymous submissions but the rate limit allows a single user to flood the queue. Mitigation: per-IP rate limit, CAPTCHA on anonymous submissions, account-based rate limit on logged-in users. :::