Owasp top 10

The OWASP Top 10 (2021) is a widely used list of the most critical web application security risks. Understanding each vulnerability and knowing how to test it is essential for penetration testing, bug bounty hunting, and secure software development.


Important: Only test applications that you own or have explicit permission to assess.


1. Broken Access Control (A01:2021)

What is it?


Broken Access Control happens when users can perform actions or access resources they shouldn't.


Example


A normal user changes:


GET /profile?id=100



to


GET /profile?id=101



and accesses another user's profile.


Impact

Read other users' data

Delete data

Become admin

Access confidential information

How to Test

Step 1: Create two accounts

User A

User B


Step 2: Login as User A


Capture request in Burp Suite.


GET /orders/101


Step 3: Change

101



to


102



If you receive User B's data:


✅ Broken Access Control


Tools

Burp Suite

OWASP ZAP

Postman

2. Cryptographic Failures (A02:2021)

What is it?


Sensitive information is not properly encrypted.


Examples:


HTTP instead of HTTPS

Password stored in plain text

Weak hashing

Weak encryption

Impact

Password theft

Credit card theft

Data leakage

How to Test

Check HTTPS

http://website.com



Does it redirect to HTTPS?


Inspect Cookies


Check if cookies have


Secure

HttpOnly

SameSite


Password Storage


If you have source code


Look for


password = "123456"



or


MD5(password)



instead of


bcrypt

Argon2

PBKDF2


3. Injection (A03:2021)

What is it?


Application executes user input as commands.


Examples


SQL Injection

NoSQL Injection

LDAP Injection

OS Command Injection

SQL Injection Example


Login form


Username


admin



Password


' OR '1'='1



SQL becomes


SELECT * FROM users

WHERE username='admin'

AND password='' OR '1'='1'



Login bypasses.


How to Test


Test parameters


?id=1'


?id=1--


?id=1 OR 1=1



Watch for


SQL errors

Different response

Login bypass

Tools

SQLMap

Burp Intruder

Burp Repeater

4. Insecure Design (A04:2021)

What is it?


Security was never considered during design.


Example


Bank transfer page


Transfer Money



No transaction limit.


Attacker transfers


$10000000


How to Test


Ask


Is MFA required?

Are rate limits present?

Is there approval workflow?

Can business logic be abused?


Examples


Unlimited coupon usage

Unlimited OTP attempts

Unlimited password reset

5. Security Misconfiguration (A05:2021)

What is it?


Improper server configuration.


Examples


Directory listing enabled

Debug mode enabled

Default passwords

Open admin panels

How to Test


Visit


/robots.txt


/backup.zip


/admin


/phpinfo.php



Check HTTP headers.


Look for


Server: Apache/2.2



Old versions may be vulnerable.


Tools

Nikto

Nmap

Burp Suite

6. Vulnerable and Outdated Components (A06:2021)

What is it?


Application uses old software with known vulnerabilities.


Example


Log4j

Apache Struts

jQuery


How to Test


Find software versions.


Headers


X-Powered-By



Source code


jquery-1.8.js



Search CVEs.


Tools


Nuclei

Retire.js

Dependency Check

7. Identification and Authentication Failures (A07:2021)

What is it?


Weak authentication.


Examples


Weak passwords

Session fixation

Predictable tokens

Missing MFA

How to Test


Try


Weak passwords


password

123456

admin123



Check


Session ID changes after login?

Password reset secure?

Brute force protection?


Use Burp Intruder.


8. Software and Data Integrity Failures (A08:2021)

What is it?


Application trusts unverified software or data.


Examples


Auto updates without signature

Unsafe deserialization

CI/CD compromise

How to Test


Check


File upload validation

Package signatures

JWT algorithm confusion

Deserialization endpoints


Example


Modify JWT


alg:none



If accepted:


Critical issue.


9. Security Logging and Monitoring Failures (A09:2021)

What is it?


Attacks happen but no one notices.


Example


1000 failed logins.


No logs.


No alerts.


How to Test


Generate


Failed logins

Invalid tokens

Permission errors


Ask


Are they logged?


Can admin detect attacks?


10. Server-Side Request Forgery (SSRF) (A10:2021)

What is it?


Server fetches URLs supplied by the attacker.


Example


Fetch Image



Application requests


https://example.com/image.jpg



Attacker changes it to


http://127.0.0.1/admin



or


http://169.254.169.254/


Impact

Internal network access

Cloud credential theft

Remote code execution (sometimes)

How to Test


Find URL parameters


url=

image=

fetch=

link=



Try


http://localhost


http://127.0.0.1


http://169.254.169.254/



Monitor responses.


Tools


Burp Collaborator

Interactsh

Burp Repeater

Comments

Popular posts from this blog

Social Engineering

In one lifetime, you will love many times, but one love will burn your soul forever.

The cost of growth is pain.