Sign in to save

Bookmark this page so you can find it later.

Sign in to save

Bookmark this page so you can find it later.
OWASP Top 10 Security Reference cheat sheet - grade 11-12

Click image to open full size

Computer Science Grade 11-12

OWASP Top 10 Security Reference Cheat Sheet

A printable reference covering OWASP Top 10 risks, access control, injection, authentication, logging, and secure design for grades 11-12.

Download PNG

Related Tools

Related Labs

Related Worksheets

Related Infographics

The OWASP Top 10 is a widely used reference for the most serious web application security risks. This cheat sheet helps students recognize common weaknesses that appear in real websites, APIs, and software systems. It connects security terms to practical rules developers can apply while designing, coding, testing, and deploying applications. Students need this reference to understand how attackers think and how secure coding reduces risk.

Key Facts

  • Broken Access Control happens when users can view, change, or delete data they should not access, so every request must verify the user, role, and permission.
  • Cryptographic Failures occur when sensitive data is exposed, so use HTTPS, strong encryption, secure key storage, and never store passwords in plain text.
  • Injection occurs when untrusted input is treated as code, so use parameterized queries, input validation, and output encoding.
  • Insecure Design means security was not built into the system plan, so threat modeling, abuse cases, and secure defaults should be used before coding.
  • Security Misconfiguration happens when systems use unsafe defaults, unnecessary features, weak headers, or exposed admin tools, so hardening and regular reviews are required.
  • Vulnerable and Outdated Components create risk because libraries, frameworks, and plugins may contain known flaws, so dependencies must be inventoried and patched.
  • Identification and Authentication Failures include weak passwords, missing multi-factor authentication, and poor session handling, so login systems must protect identity carefully.
  • Security Logging and Monitoring Failures make attacks harder to detect, so important events such as failed logins, permission changes, and suspicious requests must be logged and reviewed.

Vocabulary

OWASP
OWASP is the Open Worldwide Application Security Project, a nonprofit group that publishes free software security guidance.
Access Control
Access control is the process of deciding what actions a user or system is allowed to perform.
Injection
Injection is a vulnerability where attacker-controlled input is interpreted as a command or query by an application.
Authentication
Authentication is the process of proving a user's identity, usually with passwords, tokens, biometrics, or multi-factor methods.
Encryption
Encryption is the process of converting readable data into protected data that can only be read with the correct key.
Threat Modeling
Threat modeling is a planning process that identifies what could go wrong, who might attack, and how defenses should be designed.

Common Mistakes to Avoid

  • Trusting the user interface for security is wrong because attackers can bypass buttons, forms, and hidden fields by sending direct HTTP requests.
  • Building SQL queries by joining strings is wrong because user input can become executable database code and cause an injection attack.
  • Storing passwords as plain text is wrong because a database leak would immediately expose every user's password without needing decryption or cracking.
  • Ignoring dependency updates is wrong because attackers often scan for known vulnerable library versions and exploit systems that have not been patched.
  • Logging only successful actions is wrong because failed logins, blocked requests, and permission errors may be the earliest signs of an attack.

Practice Questions

  1. 1 A site has 200 user accounts, and 15 accounts use passwords found in a common password list. What percent of accounts have weak passwords?
  2. 2 A web app receives 1,000 login attempts in one hour, and 180 fail. What is the failed login rate as a percent?
  3. 3 A project uses 42 third-party packages, and 6 have known security updates available. How many packages are currently up to date?
  4. 4 A student says HTTPS alone prevents all OWASP Top 10 risks. Explain why this is incorrect and give two risks HTTPS does not fully solve.