SE Notes
Understanding the most critical web application security risks.
The OWASP (Open Web Application Security Project) Top 10 is the most widely recognized document for web application security awareness. Published approximately every three to four years by a global community of security experts, it identifies the ten most critical security risks facing web applications based on real-world breach data, vulnerability reports, and industry surveys. The OWASP Top 10 serves as a minimum security standard—if your application is vulnerable to any of these categories, it has fundamental security problems that must be addressed before deployment. Regulatory frameworks like PCI-DSS explicitly reference the OWASP Top 10, and many organizations use it as the baseline for security testing programs.
A01: Broken Access Control
Previously fifth, broken access control moved to the number one position in the 2021 update, reflecting its prevalence in real-world applications. Access control enforces policies that restrict users to their intended permissions. When it fails, users can act outside their authorized capabilities.
Common manifestations:
- Modifying URL parameters to access another user's account (
/api/users/456→/api/users/789) - Escalating from regular user to admin by manipulating role parameters
- Accessing API endpoints that lack authorization checks
- Bypassing access controls by modifying JWT tokens or cookies
Prevention: Deny by default (require explicit permission grants), implement access control checks server-side at every endpoint, use indirect object references, and perform automated access control testing.
A02: Cryptographic Failures
Previously called "Sensitive Data Exposure," this category focuses on failures related to cryptography that expose sensitive data. This includes transmitting data in clear text, using deprecated cryptographic algorithms, using weak or default encryption keys, and failing to encrypt data at rest.
Examples: Storing passwords as MD5 hashes (easily cracked), transmitting credit card numbers over HTTP instead of HTTPS, using hardcoded encryption keys in source code, or using ECB mode for block cipher encryption (which reveals patterns in encrypted data).
Prevention: Classify data by sensitivity, encrypt all sensitive data in transit and at rest, use strong current algorithms (AES-256, RSA-2048+, SHA-256+), and disable caching for responses containing sensitive data.
A03: Injection
Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. SQL injection is the most famous, but injection also affects LDAP, OS commands, XPath, and NoSQL databases.
# Vulnerable to SQL injection
query = f"SELECT * FROM products WHERE name LIKE '%{user_input}%'"
# Safe: parameterized query
query = "SELECT * FROM products WHERE name LIKE %s"
cursor.execute(query, (f"%{user_input}%",))Prevention: Use parameterized queries exclusively, validate and sanitize all input, employ allow-lists rather than deny-lists for input validation, and use ORM frameworks that handle parameterization automatically.
A04: Insecure Design
New in 2021, this category addresses fundamental design flaws that cannot be fixed by perfect implementation. It calls for greater use of threat modeling, secure design patterns, and reference architectures during the design phase.
Example: A password recovery system that uses security questions is insecure by design—the answers are often publicly available on social media regardless of how well the code is written. A better design uses email-based recovery tokens with expiration.
Prevention: Establish secure development lifecycle practices, use threat modeling for critical features, integrate security patterns into reference architectures, and write abuse cases alongside use cases.
A05: Security Misconfiguration
Systems with unnecessary features enabled, default accounts unchanged, overly informative error messages, or missing security headers are vulnerable regardless of code quality.
Common issues: Default credentials on admin interfaces, directory listing enabled, stack traces visible to users, unnecessary HTTP methods enabled (PUT, DELETE on static content), and missing security headers (Content-Security-Policy, X-Frame-Options).
Prevention: Repeatable hardening processes, minimal platform (remove unused features), automated configuration verification, and separate credentials for each environment.
A06: Vulnerable and Outdated Components
Applications using libraries, frameworks, or dependencies with known vulnerabilities inherit those vulnerabilities. The Equifax breach exploited an unpatched Apache Struts vulnerability where the patch had been available for months.
Prevention: Maintain inventory of all components and versions, monitor vulnerability databases continuously (CVE, NVD), subscribe to security advisories for used components, and automate dependency scanning in CI/CD (Snyk, Dependabot, OWASP Dependency-Check).
A07: Identification and Authentication Failures
Weaknesses in authentication mechanisms: permitting brute force attacks, accepting weak passwords, using plain text or weakly hashed credential storage, missing multi-factor authentication, and exposing session identifiers in URLs.
Prevention: Implement multi-factor authentication, enforce strong password policies, rate-limit login attempts, use secure session management, and never ship with default credentials.
A08: Software and Data Integrity Failures
New in 2021, this category covers code and infrastructure that does not protect against integrity violations. This includes: insecure deserialization (accepting serialized objects from untrusted sources), auto-update mechanisms without signature verification, and CI/CD pipelines without integrity verification.
Prevention: Use digital signatures for software updates, verify dependency integrity using checksums, ensure CI/CD pipelines have proper access controls, and avoid insecure deserialization of untrusted data.
A09: Security Logging and Monitoring Failures
Without adequate logging and monitoring, breaches go undetected for extended periods (average 277 days according to IBM). If you cannot detect attacks, you cannot respond to them.
Prevention: Log all authentication events (especially failures), log access control failures, ensure logs contain sufficient context for forensic analysis, implement alerting for suspicious patterns, and establish incident response procedures.
A10: Server-Side Request Forgery (SSRF)
SSRF occurs when a web application fetches a remote resource without validating the user-supplied URL. Attackers can force the server to make requests to internal systems, bypassing firewalls and access controls.
Example: A URL preview feature that fetches http://internal-admin-panel:8080/delete-all-users when an attacker provides that URL.
Prevention: Sanitize and validate all client-supplied URLs, enforce URL schemas and destinations against allow-lists, disable HTTP redirections, and segment remote resource access functionality in separate networks.
Using OWASP Top 10 in Practice
Treat the OWASP Top 10 as a starting point, not a comprehensive security program. Use it to prioritize security testing efforts, educate developers about common risks, establish minimum acceptance criteria for security reviews, and communicate security risks to non-technical stakeholders in business-relevant terms.
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for OWASP Top 10.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Software Engineering topic.
Search Terms
software-engineering, software engineering, software, engineering, security, owasp, top, owasp top 10
Related Software Engineering Topics