OWASP Top 10
Injection, broken auth, XSS, IDOR, security misconfiguration, SSRF
The OWASP Top 10 (2021 edition) catalogues the most critical web application security risks ranked by prevalence, exploitability, and impact. The list is widely used as a baseline security standard — PCI-DSS requires addressing OWASP Top 10 vulnerabilities; many compliance frameworks reference it. Understanding each vulnerability, its root cause, and its mitigation is foundational for secure-by-design engineering.
Key Points
- A01 Broken Access Control (most common, 94% of apps tested): IDOR (Insecure Direct Object Reference), missing function-level auth, path traversal — mitigate with server-side authorisation checks, deny-by-default, and access control unit tests.
- A02 Cryptographic Failures: using MD5/SHA-1 for password hashing, hardcoded keys, transmitting PII over HTTP, broken TLS configurations — audit with sslyze, testssl.sh; enforce TLS 1.2+ and AES-256.
- A03 Injection (SQL, LDAP, OS, NoSQL, SSTI): attacker-controlled input interpreted as code — always use parameterised queries / prepared statements; never use string concatenation to build queries.
- A04 Insecure Design: missing threat modelling, no rate limiting on auth endpoints, insecure password reset flows — STRIDE threat modelling at design phase; threat modelling workshops before feature development.
- A05 Security Misconfiguration: default credentials, unnecessary features enabled, overly permissive CORS (`*`), S3 public-access-block disabled — automate with AWS Config rules, CIS Benchmarks, Trivy config scan.
- A07 Identification and Authentication Failures: brute-force attacks, credential stuffing, weak session tokens — implement account lockout, MFA, TOTP or FIDO2, secure session management (HttpOnly + Secure cookie flags).
- A08 Software and Data Integrity Failures: CI/CD pipeline poisoning, unsigned updates, deserialisation vulnerabilities — pin dependencies with integrity hashes (`npm ci --require-pin`), sign container images (Sigstore/cosign).
- A10 Server-Side Request Forgery (SSRF): attacker tricks server into making requests to internal resources (EC2 IMDS, `http://169.254.169.254/latest/meta-data/iam/`) — block internal IP ranges in outbound HTTP client, enforce IMDS v2 (token required).
Real-World Example
The 2019 Capital One breach was an SSRF attack: a WAF misconfiguration allowed an attacker to request the EC2 Instance Metadata Service (IMDS) via the WAF, retrieve IAM credentials, and exfiltrate 100 million customer records from S3 — mitigated in modern environments by enforcing IMDSv2 and blocking 169.254.169.254 in security groups.