Certified Web Application Pentester
Foundation & Lab Build Up 0/3 Conquering BurpSuite 0/1 Acquiring Dev Tools for Pentesting 0/1 Proxy Configuration & Interception 0/1 Introduction to OWASP Top 10 0/1 Web Security Testing Guide Framework 0/1 Essentials CLI Tools 0/1 Pentest Methodology and Workflow 0/1 Reconnaissance and Information Gathering 0/8 Enumeration & Mapping Bugs 0/10 Attacking Authentication Flow 0/1
← Certified Web Application Pentester

Introduction to OWASP Top 10

Task 1
OWASP TOP 10

OWASP Top 10 - 2021

The OWASP Top 10 is the standard awareness document for web application security risks.

A01:2021 - Broken Access Control

Description: Restrictions on authenticated users are not properly enforced. Attackers can access unauthorized functionality and data.

Common Vulnerabilities:

  • IDOR (Insecure Direct Object Reference)
  • Missing function-level access control
  • CORS misconfiguration
  • Path traversal
  • Forced browsing to authenticated/privileged pages
  • API access control failures (BOLA/BFLA)

Example:

# Accessing another user's data by changing the ID
GET /api/users/1001/profile   # Your profile
GET /api/users/1002/profile   # Another user's profile - should be denied

# Accessing admin functionality
GET /admin/dashboard           # Should require admin role
GET /api/admin/users           # API endpoint without auth check

Impact: Unauthorized information disclosure, data modification, business function abuse

A02:2021 - Cryptographic Failures

Description: Failures related to cryptography that lead to exposure of sensitive data.

Common Vulnerabilities:

  • Data transmitted in cleartext (HTTP, FTP, SMTP)
  • Weak or deprecated cryptographic algorithms (MD5, SHA1, DES, RC4)
  • Default or weak cryptographic keys
  • Missing or improper certificate validation
  • Passwords stored without hashing or with weak hashing
  • Missing encryption for sensitive data at rest

Example:

# Weak password storage
password_hash = md5(password)                    # VULNERABLE
password_hash = bcrypt(password, salt, rounds=12) # SECURE

# Data in transit
http://example.com/login    # VULNERABLE
https://example.com/login   # SECURE (with proper TLS config)

A03:2021 - Injection

Description: User-supplied data is sent to an interpreter as part of a command or query.

Common Vulnerabilities:

  • SQL Injection
  • NoSQL Injection
  • OS Command Injection
  • LDAP Injection
  • XPath Injection
  • Server-Side Template Injection (SSTI)
  • Expression Language (EL) Injection
  • Header Injection (CRLF)

Example:

-- SQL Injection
SELECT * FROM users WHERE username = '' OR 1=1-- ' AND password = 'anything'

-- Command Injection
ping -c 1 127.0.0.1; cat /etc/passwd

-- SSTI
{{7*7}} → 49 (Jinja2 template injection)

A04:2021 - Insecure Design

Description: Risks related to design and architectural flaws. Differs from implementation bugs.

Common Vulnerabilities:

  • Missing rate limiting on sensitive operations
  • Lack of CAPTCHA on critical functions
  • Missing business logic validation
  • Insecure password recovery flows
  • No abuse case consideration in design
  • Missing trust boundaries

Example:

# No rate limiting on login
POST /api/login  (unlimited attempts allowed)

# Insecure password reset design
# Sends password reset link without verifying email ownership
# Uses sequential/predictable reset tokens

A05:2021 - Security Misconfiguration

Description: Missing security hardening, default configurations, unnecessary features enabled.

Common Vulnerabilities:

  • Default credentials (admin/admin, root/root)
  • Unnecessary features enabled (directory listing, debug mode)
  • Missing security headers
  • Verbose error messages with stack traces
  • Outdated software with known vulnerabilities
  • Cloud storage permissions (public S3 buckets)
  • Unnecessary HTTP methods enabled

Example:

# Debug mode in production
DEBUG = True  (Django)
APP_DEBUG=true (.env Laravel)

# Directory listing enabled
Apache: Options +Indexes
Nginx: autoindex on;

# Default credentials
Tomcat Manager: tomcat/tomcat
Jenkins: no authentication required
phpMyAdmin: root/(empty)

A06:2021 - Vulnerable and Outdated Components

Description: Using components (libraries, frameworks) with known vulnerabilities.

Common Vulnerabilities:

  • Outdated libraries with known CVEs
  • Unsupported/end-of-life software
  • Not scanning for vulnerabilities regularly
  • Not patching in a timely manner

Tools for Detection:

# JavaScript
npm audit
yarn audit
retire.js

# Python
pip-audit
safety check

# Java
mvn dependency-check:check

# Ruby
bundle audit

# General
OWASP Dependency-Check
Snyk

A07:2021 - Identification and Authentication Failures

Description: Weaknesses in authentication and session management.

Common Vulnerabilities:

  • Brute force / credential stuffing attacks allowed
  • Weak passwords permitted
  • Improper session management
  • Missing MFA for sensitive operations
  • Session IDs in URLs
  • Session fixation
  • Missing password complexity requirements

A08:2021 - Software and Data Integrity Failures

Description: Code and infrastructure that does not protect against integrity violations.

Common Vulnerabilities:

  • Insecure deserialization (PHP, Java, Python, .NET)
  • CI/CD pipeline integrity issues
  • Auto-update without signature verification
  • Unsigned or unverified serialized data
  • Dependency confusion attacks

A09:2021 - Security Logging and Monitoring Failures

Description: Insufficient logging, detection, monitoring, and active response.

Common Vulnerabilities:

  • Login failures not logged
  • No alerting for suspicious activities
  • Logs stored locally without protection
  • No monitoring for API abuse
  • Insufficient log detail

A10:2021 - Server-Side Request Forgery (SSRF)

Description: Application fetches a remote resource without validating the user-supplied URL.

Example:

# SSRF to internal services
GET /fetch?url=http://169.254.169.254/latest/meta-data/  # AWS metadata

# SSRF to internal network
GET /fetch?url=http://192.168.1.1/admin                  # Internal admin panel

# SSRF to local services
GET /fetch?url=http://localhost:6379/                     # Redis

OWASP API Security Top 10 - 2023

#Vulnerability
API1Broken Object Level Authorization (BOLA)
API2Broken Authentication
API3Broken Object Property Level Authorization
API4Unrestricted Resource Consumption
API5Broken Function Level Authorization (BFLA)
API6Unrestricted Access to Sensitive Business Flows
API7Server Side Request Forgery
API8Security Misconfiguration
API9Improper Inventory Management
API10Unsafe Consumption of APIs

Mapping to Bug Bounty Programs

OWASP CategoryCommon Bug Bounty FindingsTypical Severity
A01 Broken Access ControlIDOR, privilege escalationHigh-Critical
A02 Cryptographic FailuresSensitive data exposureMedium-High
A03 InjectionSQLi, XSS, Command injectionMedium-Critical
A05 Security MisconfigurationExposed admin panels, debug infoLow-High
A07 Auth FailuresAccount takeover, auth bypassHigh-Critical
A08 Integrity FailuresDeserialization RCECritical
A10 SSRFCloud metadata access, internal accessMedium-Critical