Explore key concepts of insecure design in web applications with this quiz on real-world security flaws as outlined in the OWASP Top 10. Assess your understanding of common vulnerabilities, security best practices, and how design decisions can impact overall application security.
A web application allows users to change their user role by modifying a hidden field in the user settings page. Which insecure design flaw does this situation exemplify?
Explanation: This example demonstrates Broken Access Control, where users can escalate privileges due to poor design in enforcing authorization. Sensitive Data Tracking is not relevant as the scenario does not involve exposure of confidential information. Excessive Logging refers to overwhelming logs with unnecessary information, which is unrelated here. Session Timeout Misconfiguration involves issues with session duration, not user access levels.
An application is deployed with administrative accounts using 'admin' as both the username and password, which are not required to be changed after setup. What is the main insecure design issue here?
Explanation: The use of default credentials creates a predictable and easy-to-exploit security hole often cited in insecure design practices. Object Reference Bypass is unrelated to credential settings. Cross-Origin Resource Sharing Error involves misconfigurations in resource sharing policies, not account setup. Inadequate Data Masking refers to exposing sensitive information visually or through logs, not login procedures.
A developer builds an online form that accepts unlimited file attachments without checking their type or size, resulting in potential server crashes. Which OWASP Top 10 insecure design concept does this illustrate?
Explanation: Failing to validate or restrict file uploads indicates a lack of Secure By Design Principle, which encourages building security into the application from the start. Overly Strict Input Validation would create user experience problems but provides more security, not less. Cookie Tampering is about altering data in cookies, which is unrelated here. Cryptic UI Messaging refers to unclear user notifications and does not affect file upload controls.
A banking web portal allows fund transfers without verifying user identity once they are logged in, making phishing attacks easier. What insecure design concern does this raise?
Explanation: This scenario points to inadequate security checks in sensitive workflows, a core insecure design issue that can facilitate unauthorized actions. Token Spoofing Attack refers specifically to authentication tokens being faked or stolen. Unencrypted Backups concern improper handling of backup data, not in-session actions. Password Autofill deals with browser features, not transaction authorization.
A web application returns detailed error messages containing stack traces and file paths to end users when something goes wrong. Which insecure design flaw is present?
Explanation: Providing detailed error information can give attackers insights into the internal design and vulnerabilities of the application, fitting the flaw of Excessive Error Information Disclosure. Unvalidated Redirects relate to sending users to unverified URLs. Race Condition Exposure is about timing issues in code execution, and SQL Truncation is a type of database error, none of which involve error message content.