RestingOwl owl logo RestingOwl
Free Tool

Spot the Vulnerability

Look at 10 real-world code snippets and identify the security flaw in each one. Get instant feedback, an explanation, and the CWE reference for further reading.

Question 1 of 10 Score: 0/10

Which vulnerability is in this code?

How does this quiz work?

Each question shows a short, realistic code snippet with one security flaw. Pick the vulnerability class you think is present from four options. You will see immediately whether you were right, along with an explanation, a fix, and the CWE (Common Weakness Enumeration) ID for that vulnerability class.

Why use CWE IDs instead of OWASP Top 10 numbers?

OWASP Top 10 categories group many related weaknesses together and the numbering changes between editions. CWE IDs identify one specific weakness pattern, such as CWE-89 for SQL injection or CWE-22 for path traversal, so they stay stable and let you look up the exact issue on cwe.mitre.org.

Quiz FAQ

It shows you 10 short code snippets in JavaScript and Python, each containing one common web application vulnerability. You pick which vulnerability class is present, then get an explanation and the relevant CWE reference.
Yes. Each question includes a plain-language explanation of why the code is vulnerable and how to fix it, so it works both as a self-test and as a learning tool.
Each snippet is a simplified, realistic example of a vulnerability pattern that shows up in real codebases: string-concatenated SQL queries, unescaped output, unsafe deserialization, missing ownership checks, and similar.
Yes. Click "Restart quiz" at the end. Questions are shuffled and answer choices are randomized each time, so the order will differ.
Each vulnerability class maps to a CWE (Common Weakness Enumeration) ID shown in the feedback. Search the CWE ID on cwe.mitre.org for the formal definition, or check the RestingOwl blog for deeper guides on specific topics like XSS.
Copied!