Owasp top 10
The OWASP Top 10 (2021) is a widely used list of the most critical web application security risks. Understanding each vulnerability and knowing how to test it is essential for penetration testing, bug bounty hunting, and secure software development.
Important: Only test applications that you own or have explicit permission to assess.
1. Broken Access Control (A01:2021)
What is it?
Broken Access Control happens when users can perform actions or access resources they shouldn't.
Example
A normal user changes:
GET /profile?id=100
to
GET /profile?id=101
and accesses another user's profile.
Impact
Read other users' data
Delete data
Become admin
Access confidential information
How to Test
Step 1: Create two accounts
User A
User B
Step 2: Login as User A
Capture request in Burp Suite.
GET /orders/101
Step 3: Change
101
to
102
If you receive User B's data:
✅ Broken Access Control
Tools
Burp Suite
OWASP ZAP
Postman
2. Cryptographic Failures (A02:2021)
What is it?
Sensitive information is not properly encrypted.
Examples:
HTTP instead of HTTPS
Password stored in plain text
Weak hashing
Weak encryption
Impact
Password theft
Credit card theft
Data leakage
How to Test
Check HTTPS
http://website.com
Does it redirect to HTTPS?
Inspect Cookies
Check if cookies have
Secure
HttpOnly
SameSite
Password Storage
If you have source code
Look for
password = "123456"
or
MD5(password)
instead of
bcrypt
Argon2
PBKDF2
3. Injection (A03:2021)
What is it?
Application executes user input as commands.
Examples
SQL Injection
NoSQL Injection
LDAP Injection
OS Command Injection
SQL Injection Example
Login form
Username
admin
Password
' OR '1'='1
SQL becomes
SELECT * FROM users
WHERE username='admin'
AND password='' OR '1'='1'
Login bypasses.
How to Test
Test parameters
?id=1'
?id=1--
?id=1 OR 1=1
Watch for
SQL errors
Different response
Login bypass
Tools
SQLMap
Burp Intruder
Burp Repeater
4. Insecure Design (A04:2021)
What is it?
Security was never considered during design.
Example
Bank transfer page
Transfer Money
No transaction limit.
Attacker transfers
$10000000
How to Test
Ask
Is MFA required?
Are rate limits present?
Is there approval workflow?
Can business logic be abused?
Examples
Unlimited coupon usage
Unlimited OTP attempts
Unlimited password reset
5. Security Misconfiguration (A05:2021)
What is it?
Improper server configuration.
Examples
Directory listing enabled
Debug mode enabled
Default passwords
Open admin panels
How to Test
Visit
/robots.txt
/backup.zip
/admin
/phpinfo.php
Check HTTP headers.
Look for
Server: Apache/2.2
Old versions may be vulnerable.
Tools
Nikto
Nmap
Burp Suite
6. Vulnerable and Outdated Components (A06:2021)
What is it?
Application uses old software with known vulnerabilities.
Example
Log4j
Apache Struts
jQuery
How to Test
Find software versions.
Headers
X-Powered-By
Source code
jquery-1.8.js
Search CVEs.
Tools
Nuclei
Retire.js
Dependency Check
7. Identification and Authentication Failures (A07:2021)
What is it?
Weak authentication.
Examples
Weak passwords
Session fixation
Predictable tokens
Missing MFA
How to Test
Try
Weak passwords
password
123456
admin123
Check
Session ID changes after login?
Password reset secure?
Brute force protection?
Use Burp Intruder.
8. Software and Data Integrity Failures (A08:2021)
What is it?
Application trusts unverified software or data.
Examples
Auto updates without signature
Unsafe deserialization
CI/CD compromise
How to Test
Check
File upload validation
Package signatures
JWT algorithm confusion
Deserialization endpoints
Example
Modify JWT
alg:none
If accepted:
Critical issue.
9. Security Logging and Monitoring Failures (A09:2021)
What is it?
Attacks happen but no one notices.
Example
1000 failed logins.
No logs.
No alerts.
How to Test
Generate
Failed logins
Invalid tokens
Permission errors
Ask
Are they logged?
Can admin detect attacks?
10. Server-Side Request Forgery (SSRF) (A10:2021)
What is it?
Server fetches URLs supplied by the attacker.
Example
Fetch Image
Application requests
https://example.com/image.jpg
Attacker changes it to
http://127.0.0.1/admin
or
http://169.254.169.254/
Impact
Internal network access
Cloud credential theft
Remote code execution (sometimes)
How to Test
Find URL parameters
url=
image=
fetch=
link=
Try
http://localhost
http://127.0.0.1
http://169.254.169.254/
Monitor responses.
Tools
Burp Collaborator
Interactsh
Burp Repeater
Comments
Post a Comment