OWASP Top 10

Users can act outside their intended permissions. Access control fails when: users can view/modify unauthorized data, change access rights, view/use functions they shouldn't access.

• Horizontal privilege escalation (access other user's data)
• Vertical privilege escalation (access admin functions)
• CORS misconfiguration allowing unauthorized cross-origin access
• Direct object references (IDOR) - accessing objects by ID
• Modifying access tokens or cookies to escalate privileges
• Manipulating metadata (JWT tokens, cookies)

• Test authorization against user roles
• Enumerate object IDs and attempt to access others
• Check HTTP methods (PUT, DELETE) restrictions
• Analyze JWT tokens for privilege information
• Test CORS headers (Access-Control-Allow-*)

• Implement role-based access control (RBAC)
• Enforce authorization checks on every request
• Use authorization tokens with minimal privileges
• Deny by default - allow only explicitly permitted actions
• Disable CORS if not required

Exposure of sensitive data due to failures in using or implementing cryptography. Includes inadequate encryption, exposed keys, weak algorithms, and side-channel attacks.

• Data transmitted without encryption (HTTP instead of HTTPS)
• Weak cryptographic algorithms (MD5, SHA1 for passwords)
• Hardcoded encryption keys in source code
• Insufficient key rotation or management
• Weak random number generation
• Certificates not validated or expired/self-signed

• Check for HTTPS usage and valid certificates
• Test password storage mechanisms
• Analyze encryption algorithms used
• Review source code for hardcoded secrets
• Test for weak random number generation
• Check HTTP security headers (HSTS, etc.)

• Use HTTPS/TLS for all data in transit
• Use strong cryptographic algorithms (AES-256, SHA-256)
• Securely store encryption keys (key management systems)
• Never hardcode secrets - use environment variables
• Use bcrypt/Argon2 for password hashing
• Implement certificate pinning for mobile apps

Occurs when untrusted data is sent as a command or query. Attacker-controlled data can trick the interpreter into executing unintended commands.

• SQL Injection: Inject SQL commands through input fields
• Command Injection: Execute OS commands via application
• LDAP Injection: Inject LDAP queries
• XPath Injection: Inject XPath expressions
• NoSQL Injection: Inject MongoDB/NoSQL operators

• Test all input fields with special characters
• Try SQL keywords: ' OR 1=1, UNION, SELECT, etc.
• Test for command injection: ; | & $()
• Use time-based detection: sleep(), benchmark()
• Check error messages for information disclosure

• Use parameterized queries/prepared statements
• Employ input validation and sanitization
• Use allowlists for acceptable input
• Implement principle of least privilege for databases
• Disable unnecessary database features
• Use stored procedures carefully (still vulnerable if misused)

A new category for risks related to design flaws. Missing security controls that should have been implemented during the design phase.

• Missing threat modeling
• No secure design patterns implementation
• Weak account recovery mechanisms
• Missing rate limiting on critical functions
• Insufficient logging/monitoring
• Business logic flaws

• Test account recovery/forgot password flows
• Test for rate limiting on login attempts
• Analyze business logic for bypasses
• Test multi-step processes for step skipping
• Check for proper error handling

• Conduct threat modeling during design phase
• Establish secure development standards
• Implement rate limiting on critical functions
• Design secure password reset mechanisms
• Implement comprehensive logging
• Use security design patterns and frameworks

Insecure default configurations, imcomplete or ad-hoc setups, open cloud storage, misconfigured HTTP headers, or outdated software.

• Debug mode enabled in production
• Default credentials not changed
• Unnecessary services/ports enabled
• Missing security headers
• Outdated/patched dependencies
• Verbose error messages revealing sensitive info
• Insecure S3/cloud bucket configurations

• Scan for default credentials
• Check HTTP security headers
• Run dependency scanning tools
• Check for verbose error messages
• Enumerate running services
• Review cloud storage permissions

• Use hardening guides and checklists
• Change default credentials immediately
• Disable unnecessary services
• Implement security headers (CSP, HSTS, etc.)
• Keep software updated and patched
• Implement proper error handling
• Secure cloud storage with proper ACLs

Using libraries, frameworks, software, and other components with known vulnerabilities. No tracking of component versions or timely updates.

• No inventory of dependencies
• Using outdated versions of libraries
• Not following security advisories
• No automated dependency scanning
• Using unsupported/unmaintained software

• Use OWASP Dependency Check
• Run npm audit / pip audit
• Check GitHub vulnerability advisories
• Analyze third-party service versions
• Review security changelog

• Maintain component inventory
• Monitor for security updates
• Use automated scanning (Snyk, WhiteSource)
• Update dependencies regularly
• Only use actively maintained components

Failures in confirming user identity, authentication, and session management. Allows attackers to assume user or admin identities.

• Weak password policies
• Credential stuffing/brute-force attacks allowed
• Session tokens not properly invalidated
• Weak session management
• Predictable session IDs
• Poor password recovery mechanisms
• Missing MFA/2FA

• Test for weak password policies
• Attempt credential stuffing
• Test session fixation
• Analyze session tokens for predictability
• Test logout functionality
• Check for cookie security flags

• Enforce strong password policies
• Implement rate limiting on login attempts
• Use MFA/2FA for critical accounts
• Implement proper session management
• Use secure session tokens (random, long)
• Invalidate sessions on logout
• Set proper cookie flags (Secure, HttpOnly, SameSite)

Failures in software updates, critical data changes, and CI/CD pipeline integrity. Assumes integrity of plugins, libraries, and updates.

• Insecure deserialization
• Unsigned/unencrypted software updates
• Compromised build/deployment pipeline
• Unsigned packages accepted
• No integrity verification of data

• Test deserialization with malicious objects
• Analyze update mechanisms
• Check code signing and verification
• Review CI/CD pipeline security

• Avoid serializing sensitive objects
• Use cryptographic signatures for software
• Secure CI/CD pipeline with access controls
• Verify package integrity before installation
• Monitor for unexpected changes

Insufficient logging, detection, monitoring, and alerting of security events. Allows attack detection to be bypassed.

• No logging of login failures
• No security event logging
• Log tampering not prevented
• Logs not monitored/analyzed
• No alerting on suspicious events
• Testing/debug logs in production

• Review application logs
• Test if sensitive data is logged
• Attempt to modify logs
• Check for failed login logging
• Analyze log retention policies

• Log all authentication/authorization failures
• Log security-relevant events
• Protect logs from tampering
• Implement centralized logging
• Setup alerts for suspicious activities
• Retain logs for forensics/auditing

Allows attackers to coerce server-side application to make requests to unintended locations. Can be used to access internal systems or perform unauthorized actions.

• Image fetch functionality without URL validation
• Webhook implementations
• PDF generation from URLs
• Proxy functionality
• No URL schema validation (file://, gopher://)

• Test URLs pointing to internal resources
• Try localhost/127.0.0.1 addresses
• Test alternative IP formats (0, 0x7f000001)
• Try file:// and gopher:// schemes
• Test port enumeration

• Validate and sanitize URLs
• Use allowlist for allowed hosts
• Disable unnecessary protocols (file://, gopher://)
• Block access to internal IPs (10.0.0.0/8, 172.16.0.0/12, etc.)
• Use network segmentation
• Implement request timeouts