OWASP Top 10 Overview
๐ฅ Vibe Prompt
"Audit a Next.js project for OWASP Top 10 vulnerabilities. Analyze each risk and suggest fixes."
Top 10 (2021)
| Rank | Vulnerability | Description | |------|--------------|-------------| | 1 | Broken Access Control | Users access unauthorized resources | | 2 | Cryptographic Failures | Data not encrypted | | 3 | Injection | SQL, NoSQL Injection | | 4 | Insecure Design | Design flaws | | 5 | Security Misconfiguration | Default creds, debug mode | | 6 | Vulnerable Components | Known-vulnerability packages | | 7 | Auth Failures | Broken authentication | | 8 | Data Integrity Failures | Unverified data integrity | | 9 | Logging Failures | Missing monitoring | | 10 | SSRF | Server-Side Request Forgery |
Prevention Mindset
Security is not a feature โ it's a requirement. Every line of code must consider security.
Chapter Summary
- Understand core concepts and principles
- Master implementation methods and techniques
- Familiar with common issues and solutions
- Able to apply in real projects
Further Reading
- Official documentation and API references
- Open source examples on GitHub
- Technical books and online courses
- Community discussions and tech blogs
Implementation Example
Basic Example
# This section provides a complete implementation example
Steps
- Setup: Configure development environment
- Data: Prepare required data
- Implementation: Build core functionality
- Testing: Verify correctness
- Optimization: Improve performance
Common Errors
| Error Type | Cause | Solution | |------------|-------|----------| | Compilation | Syntax | Check code syntax | | Runtime | Environment | Verify dependencies installed | | Logic | Algorithm | Step-by-step debugging | | Performance | Efficiency | Use profilers |
Code Example
import sys
def main():
print("Hello, World!")
if __name__ == "__main__":
main()
References
- Official documentation
- API reference
- Open source examples
- Community discussions
Key Points
- Understand the core concepts thoroughly
- Practice with hands-on code examples
- Apply knowledge to real-world problems
- Review and reinforce through exercises
Further Learning
- Official documentation
- Open source projects on GitHub
- Community forums and discussions
- Related courses and tutorials
Why OWASP Top 10?
The OWASP Top 10 is the standard awareness document for web application security. It represents a broad consensus on the most critical security risks.
The 2021 Top 10 List
| Rank | Risk | Description | |------|------|-------------| | A01 | Broken Access Control | Users can access resources they shouldn't | | A02 | Cryptographic Failures | Weak encryption or exposed keys | | A03 | Injection | SQL, NoSQL, OS command injection | | A04 | Insecure Design | Missing security controls in design | | A05 | Security Misconfiguration | Default creds, unnecessary features | | A06 | Vulnerable Components | Outdated libraries with known exploits | | A07 | Auth Failures | Weak login, session management flaws | | A08 | Data Integrity Failures | Software not verifying source integrity | | A09 | Logging Failures | Missing audit trails, no incident detection | | A10 | SSRF | Server-side request forgery |
A01: Broken Access Control
Problem
Users can view, modify, or delete resources they shouldn't have access to.
// โ Vulnerable: No ownership check
app.get('/api/orders/:id', async (req, res) => {
const order = await db.findOrder(req.params.id);
res.json(order); // Any user can see ANY order!
});
// โ
Secure: Check ownership
app.get('/api/orders/:id', authenticate, async (req, res) => {
const order = await db.findOrder(req.params.id);
if (order.userId !== req.user.id && req.user.role !== 'admin') {
return res.status(403).json({ error: 'Forbidden' });
}
res.json(order);
});
A03: Injection
SQL Injection Prevention
| Approach | Example | Safe? |
|----------|---------|-------|
| String concatenation | WHERE id = '${id}' | โ Dangerous |
| Parameterized query | WHERE id = $1 | โ
Safe |
| ORM | User.find(id) | โ
Safe |
| Stored procedure | EXEC get_user @id | โ
Safe with params |
// โ Vulnerable to SQL injection
const query = `SELECT * FROM users WHERE email = '${email}'`;
// โ
Parameterized query
const result = await sql`
SELECT * FROM users WHERE email = ${email}
`;
A05: Security Misconfiguration
Common Misconfigurations
| Misconfiguration | Fix | |-----------------|-----| | Default credentials | Change all default passwords | | Debug mode enabled | Set NODE_ENV=production | | CORS set to * | Restrict to specific origins | | Unused features | Disable unused endpoints, methods | | Directory listing | Disable in web server config | | Error stack traces | Return generic error messages |
Summary
The OWASP Top 10 identifies the most critical web security risks. Understanding each risk and its mitigation is essential for building secure applications.
Key takeaways: | A01: Always check ownership โ never trust user input for authorization | | A02: Encrypt everything with strong algorithms (AES-256, TLS 1.3) | | A03: Use parameterized queries or ORM โ never string concatenation | | A04: Design with security in mind โ threat model early | | A05: Harden defaults โ no debug mode, no default creds, restrict CORS | | A06: Keep dependencies updated โ use Snyk or Dependabot | | A07: Strong auth โ MFA, OAuth 2.0, short-lived sessions | | A08: Verify software integrity โ code signing, checksums | | A09: Log everything โ audit trails for incident response | | A10: Validate URLs โ block private IP ranges in SSRF-prone features |
What's Next: SQL Injection
The next chapter covers SQL injection in depth.