Skip to main content

Chapter 3 Checkpoint

The application-security toolkit, all together. This mixed quiz pulls from every lesson in the chapter. Passing means you can recognize the major web-app vulnerability classes in real code, exploit them in your head (for authorized testing), and ship the durable fix.

How this works

The quiz draws a random selection from a larger bank each attempt. The chapter's through-line: nearly every bug here is a trust-boundary failure — untrusted input treated as code, identity, a destination, or an object — and the durable fixes are structural (parameterize, encode by context, deny by default, disable dangerous parser features) rather than filters. If a question stings, follow its revisit link.

What you should be able to do now

  • Use the OWASP Top 10 as a prioritization map and place a given bug in its category.
  • Spot and fix injection (SQLi/command) with parameterization, and explain why filtering fails.
  • Spot and fix XSS with context-aware output encoding, safe frameworks, and CSP.
  • Diagnose authentication failures (credential stuffing, weak sessions, JWT traps) and prescribe MFA + proper session handling.
  • Diagnose access-control failures (IDOR, function-level, privilege escalation) and enforce authorization server-side, deny-by-default.
  • Recognize SSRF and deserialization/XXE and apply the structural defenses.
  • Apply secure-by-default patterns that prevent whole categories at once.

The checkpoint

Required checkpoint

Chapter 3: Web & Application Security

Pass to unlock the Next button below

Chapter 3 complete

You can now reason about the application layer the way a security engineer does: every untrusted input is a question — will this be treated as code, identity, a destination, or an object it shouldn't be? — and the answers are structural defenses, not filters. The OWASP Top 10 is your map; parameterization, output encoding, MFA + sane sessions, deny-by-default authorization, SSRF egress controls, safe parsing, and secure-by-default patterns are your toolkit.

→ On to Chapter 4: Secure SDLC & DevSecOps, where these per-feature defenses become a repeatable process — threat modeling before code, and automated scanning that catches these classes before they ever reach production.