CAPIE - Certified API Hacking Expert
OWASP API Security Top 10 Assessment
1. Which of the following best describes "Broken Object Level Authorization"?
A. Failure to apply rate-limiting measures on the API
B. Not validating whether a user is allowed to access specific resources or objects
C. Collecting too much data in response payloads
D. Insufficient or missing logging of user actions
2. Which OWASP API Top 10 issue involves the API inadvertently sending back more information than needed?
A. Broken User Authentication
B. Mass Assignment
C. Excessive Data Exposure
D. Security Misconfiguration
3. Mass Assignment typically occurs when:
A. Endpoints allow large payloads, causing DoS attacks
B. The API automatically binds request data to internal models without filtering out unexpected fields
C. Session IDs are not invalidated upon logout
D. The API fails to use HTTPS for all endpoints
4. Broken Function Level Authorization can be tested by:
A. Disabling CSRF tokens in requests
B. Logging into the API with a valid admin account
C. Attempting to invoke higher-privilege functions (e.g., admin actions) with a lower-privilege account
D. Using outdated endpoints to see if they still respond
5. Which vulnerability class explicitly mentions issues like default configurations, open ports, and verbose error messages?
A. Injection
B. Security Misconfiguration
C. Improper Assets Management
D. Insufficient Logging & Monitoring
6. "Improper Assets Management" means:
A. Missing or insufficient logging for critical operations
B. Out-of-date, unused, or undocumented endpoints that remain accessible
C. Failing to sanitize user-supplied input
D. Automatic binding of user input to data models
7. When an API does not limit the frequency or size of client requests, it is susceptible to which risk?
A. Lack of Resource & Rate Limiting
B. Insufficient Logging & Monitoring
C. Injection
D. Mass Assignment
8. Broken User Authentication might involve:
A. Not enforcing multi-factor authentication on the client side
B. Allowing user-submitted data to become part of a SQL query
C. Letting unauthenticated users gain access to functions requiring admin roles
D. Returning data objects with hidden fields
9. Which item refers to embedding untrusted data in queries or commands, leading to potential malicious execution?
A. Broken Object Level Authorization
B. Injection
C. Security Misconfiguration
D. Excessive Data Exposure
10. Insufficient Logging & Monitoring primarily affects an organization's ability to:
A. Limit the data returned in API responses
B. Conduct robust authentication checks
C. Detect and respond to suspicious activity or breaches
D. Manage versions of an API that have been deprecated
Submit Quiz
Quiz Results
Retake Quiz