A
AiTechWorlds
AiTechWorlds
All 10 OWASP vulnerabilities — broken access control, cryptographic failures, injection, SSRF — with prevention code.
The Open Web Application Security Project (OWASP) is a nonprofit foundation that publishes the OWASP Top 10 — a regularly updated list of the most critical web application security risks, widely used as a baseline for security standards.
Current version: OWASP Top 10 2021.
| Rank | Vulnerability | Key Risk |
|---|---|---|
| A01 | Broken Access Control | Unauthorized actions |
| A02 | Cryptographic Failures | Data exposure |
| A03 | Injection | Code execution |
| A04 | Insecure Design | Architectural flaws |
| A05 | Security Misconfiguration | Default/exposed settings |
| A06 | Vulnerable & Outdated Components | Supply chain risks |
| A07 | Identification & Authentication Failures | Account takeover |
| A08 | Software & Data Integrity Failures | Untrusted updates |
| A09 | Security Logging & Monitoring Failures | Breach goes undetected |
| A10 | Server-Side Request Forgery (SSRF) | Internal network access |
What: Users can act beyond their intended permissions.
Examples:
/account/123 to /account/124 (IDOR)Prevention:
✓ Deny by default — only grant what's explicitly permitted
✓ Log access control failures, alert on repeated failures
✓ Invalidate session tokens on server after logout
✓ Test authorization checks on ALL endpoints, not just UIWhat: Sensitive data exposed due to weak or missing encryption.
Examples:
Prevention:
✓ HTTPS everywhere — enforce with HSTS header
✓ Hash passwords with bcrypt, scrypt, or Argon2 (not MD5/SHA1)
✓ Encrypt sensitive data at rest (AES-256)
✓ Never store unnecessary sensitive data
✓ Use secrets management (Vault, AWS Secrets Manager)What: Untrusted data sent to an interpreter as part of a command or query.
Types: SQL injection, OS command injection, LDAP injection, XPath, NoSQL, template injection.
Example (SQL injection):
# VULNERABLE
query = f"SELECT * FROM users WHERE email = '{user_input}'"
# Input: ' OR '1'='1 → dumps entire users table
# SAFE — parameterized query
cursor.execute("SELECT * FROM users WHERE email = %s", (user_input,))Prevention:
✓ Parameterized queries / prepared statements for all DB operations
✓ Use ORM with parameterized queries (SQLAlchemy, Hibernate)
✓ Validate and sanitize all input
✓ Apply least-privilege to database accountsWhat: Missing or ineffective security controls in the design phase — not a coding bug but a design flaw.
Examples:
Prevention:
✓ Threat modeling during design phase
✓ Use security design patterns and secure-by-design principles
✓ Reference architectures for high-risk components
✓ Unit and integration tests for security controlsWhat: Insecure default configurations left in place.
Examples:
Security Headers:
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self'
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=()What: Using components with known vulnerabilities.
Examples:
Prevention:
✓ Track all dependencies (Dependabot, OWASP Dependency-Check)
✓ Remove unused dependencies, features, and components
✓ Subscribe to CVE feeds for components you use
✓ Automated dependency update PRs in CI/CDWhat: Weaknesses in authentication and session management.
Examples:
Prevention:
✓ Implement MFA for all accounts
✓ Rate limit authentication attempts
✓ Use secure session tokens (sufficient entropy, HttpOnly, Secure, SameSite)
✓ Implement account lockout / CAPTCHA after N failures
✓ Check passwords against breach databases (Have I Been Pwned API)What: Making assumptions about software updates and data without verifying integrity.
Examples:
Prevention:
✓ Verify digital signatures on software packages
✓ Lock dependency versions (package-lock.json, poetry.lock)
✓ Audit CI/CD pipeline for unauthorized changes
✓ Do not deserialize data from untrusted sources without validationWhat: Missing or inadequate logging allows breaches to go undetected.
What to log:
✓ Authentication events (success, failure, logout)
✓ Authorization failures (403 errors)
✓ Input validation failures
✓ Session management events
✓ High-value transactions
✓ All admin actionsLog format best practices:
{
"timestamp": "2026-01-15T10:23:45Z",
"level": "WARN",
"event": "auth.failure",
"user_id": null,
"ip": "192.168.1.100",
"endpoint": "/api/admin/users",
"reason": "invalid_token"
}What: Attacker causes the server to make requests to unintended locations (including internal networks).
Example:
# Vulnerable endpoint: /api/fetch?url=...
# Attacker sends: /api/fetch?url=http://169.254.169.254/latest/meta-data/
# → Reads AWS EC2 instance metadata (credentials!)Prevention:
✓ Validate and sanitize all user-supplied URLs
✓ Allowlist DNS names / IPs the service is allowed to contact
✓ Disable HTTP redirects in server-side HTTP clients
✓ Deny requests to private IP ranges (10.x, 192.168.x, 169.254.x)
✓ Don't expose raw error messages (reveals internal topology)Download OWASP Top 10: Web Security Reference
Get this note + 100s more free on Telegram
Join AiTechWorlds on Telegram and get daily AI tips, prompt engineering templates, coding resources, and exclusive content — 100% free!
No spam. Leave anytime.