Ethical Hacking Lesson 37 – OWASP Top 10 | Dataplexa

Ethical Hacking

I. Foundations & Hacking Mindset
1. What is Ethical Hacking 2. Hacker Types & Motivations 3. Legal & Ethical Considerations 4. Hacking Methodologies 5. Cyber Kill Chain 6. Footprinting & Reconnaissance 7. Passive vs Active Recon 8. Information Gathering Tools 9. Hacking Lab Setup 10. Kali Linux Overview
II. Reconnaissance & Scanning
11. DNS Enumeration 12. Whois & Network Enumeration 13. Google Dorking 14. Nmap Scanning 15. Port Scanning 16. Service Enumeration 17. Vulnerability Scanning 18. Nessus & OpenVAS 19. Banner Grabbing 20. Recon Best Practices
III. System & Network Attacks
21. Password Cracking 22. Brute Force Attacks 23. Credential Harvesting 24. Exploiting Misconfigurations 25. Linux System Attacks 26. Windows System Attacks 27. Privilege Escalation 28. Malware Concepts 29. Backdoors & Trojans 30. Network Sniffing 31. MITM Attacks 32. DoS Attacks 33. Wireless Attacks 34. Covering Tracks 35. Attack Mitigation
IV. Web Hacking & Real World
36. Web Architecture 37. OWASP Top 10 38. SQL Injection 39. Cross-Site Scripting (XSS) 40. Authentication Attacks 41. Session Hijacking 42. File Upload Vulnerabilities 43. API Security 44. Tools Summary 45. Mini Project – Ethical Hacking Lab
Web Hacking & Real World · Lesson 37

OWASP Top 10

The OWASP Top 10 is the most widely referenced document in web application security. Every major web vulnerability assessment standard references it. Every security team knows it. Every developer should. This lesson works through each risk — what it is, what it looks like in practice, and why it keeps appearing year after year.

What OWASP is and why the Top 10 matters

The Open Web Application Security Project is a non-profit foundation that produces free, open security guidance for developers, security teams, and organisations. The Top 10 — updated periodically based on data from thousands of real-world application assessments — lists the ten most critical and most common web application security risks. It is not a vulnerability list. It is a risk category list — each entry covers a class of vulnerabilities with shared root causes and shared defences.

The 2021 edition remains current and is the one most organisations and certification bodies reference. The ten categories shifted considerably from 2017 — Insecure Design appeared as a new entry, reflecting the industry's recognition that many security failures are architectural rather than implementational. Knowing why each category appears on the list is as important as knowing what it contains.

The 2021 OWASP Top 10 — all ten risks

A01

Broken Access Control

#1 since 2021

Access control failures occur when users can act outside their intended permissions — accessing other users' accounts, viewing sensitive data, performing privileged functions, or manipulating access control mechanisms. The classic example is Insecure Direct Object Reference: changing /account?id=12345 to /account?id=12346 and accessing another user's data because the server only checks whether you are authenticated, not whether the resource belongs to you.

Why it's #1: 94% of applications tested had some form of broken access control. It is the highest-impact category because it directly exposes data and functionality that should be inaccessible. Defences: server-side access control checks on every request, deny by default, rate limiting on access control failures.

A02

Cryptographic Failures

Previously called "Sensitive Data Exposure" — the rename in 2021 acknowledged that the root cause is cryptographic failure, not just exposure. This covers data transmitted without encryption (HTTP instead of HTTPS), data stored without encryption (plaintext passwords in a database), weak or deprecated algorithms (MD5 for password hashing, RC4 for transport encryption), and improper key management (hardcoded encryption keys in source code).

Real impact: The 2013 Adobe breach exposed 153 million user records — passwords encrypted with 3DES ECB mode (same plaintext produced same ciphertext, allowing pattern analysis) rather than hashed. The encryption was technically present but cryptographically useless. Defences: TLS everywhere, bcrypt or Argon2 for passwords, no secrets in code.

A03

Injection

Was #1 until 2021

Injection occurs when untrusted data is sent to an interpreter as part of a command or query. SQL injection is the most well-known — inserting SQL syntax into an input field causes the database to execute attacker-controlled queries. Command injection inserts OS commands. LDAP injection targets directory services. Template injection targets server-side rendering engines. The root cause is always the same: user input is not separated from the command structure that processes it.

Why it dropped from #1: Not because it became less dangerous — SQL injection is still critical when present — but because parameterised queries and modern ORMs have significantly reduced its prevalence in well-maintained applications. Legacy codebases remain vulnerable. Lesson 38 covers SQL injection in depth.

A04

Insecure Design

New in 2021

A new category in 2021 that separates design flaws from implementation bugs. A perfectly implemented feature can still be insecure if the design itself is flawed. A password reset flow that emails a link without any expiry is a design flaw. An application that allows unlimited guesses on a PIN with no throttling is a design flaw. These cannot be fixed with a patch — they require redesigning the feature from scratch.

The distinction matters: Injection is an implementation bug — a developer wrote code incorrectly. Insecure design is an architectural decision — the specification itself was insecure. Fixing implementation bugs is fast. Fixing design flaws requires planning, development time, and often user migration. The earlier a design flaw is caught, the cheaper it is to fix.

A05

Security Misconfiguration

The entire category of misconfiguration issues from Section III — now applied to web applications and their supporting infrastructure. Default credentials on admin panels. Unnecessary features enabled. Verbose error messages exposing stack traces and database queries. Directory listing enabled on web servers. Missing security headers. Publicly accessible cloud storage buckets. Each of these appeared in real breaches before the organisations realised the configuration was exposed.

The Capital One 2019 breach — 106 million customer records compromised — traced to a misconfigured web application firewall that allowed SSRF (server-side request forgery) to reach the AWS metadata endpoint, which returned credentials for the IAM role running the application. Misconfiguration remains the easiest class of finding to prevent and the most consistently overlooked.

A06

Vulnerable and Outdated Components

Libraries, frameworks, and other software components run with the same privileges as the application. Using a component with a known vulnerability means the application inherits that vulnerability regardless of how well the application itself is written. The 2017 Equifax breach — 147 million records — was caused by an unpatched Apache Struts vulnerability (CVE-2017-5638) that had a public exploit available two months before the breach. The patch existed. It was not applied.

Modern applications have hundreds of dependencies. npm packages, Python requirements, Ruby gems, Maven dependencies — each with their own dependency tree. Software composition analysis tools (Snyk, Dependabot, OWASP Dependency-Check) automate discovery of vulnerable components. Without automation, manual tracking across hundreds of dependencies is not realistic.

A07

Identification and Authentication Failures

Covers all weaknesses in how applications identify and authenticate users: default credentials not changed, weak passwords permitted, missing account lockout, insecure password recovery flows, session tokens not invalidated on logout, session IDs exposed in URLs, missing MFA on sensitive operations. The practical consequence of any of these is that an attacker gains access to accounts they should not be able to reach — either by guessing, brute forcing, or stealing session state.

Session IDs in URLs are a particularly consequential misconfiguration. If an application includes the session token in the URL (/dashboard?sessid=abc123), it appears in server logs, browser history, and Referer headers sent to third-party sites — exposing it to anyone who can read those logs. Session tokens belong exclusively in cookies with HttpOnly set. Lesson 40 and 41 cover this in depth.

A08

Software and Data Integrity Failures

New in 2021

Covers situations where code and infrastructure do not protect against integrity violations — including insecure deserialisation and CI/CD pipeline integrity failures. Insecure deserialisation occurs when applications reconstruct objects from user-supplied serialised data without verifying integrity — allowing attackers to craft malicious objects that execute code when deserialised. The SolarWinds attack (Lesson 28) was a software integrity failure at the supply chain level — malicious code inserted into a trusted build pipeline.

Auto-update mechanisms that fetch updates without signature verification are a straightforward integrity failure. An attacker who can intercept or replace the update file can deliver arbitrary code to every instance of the application. npm packages installed without integrity checking (the --ignore-scripts flag), and CDN-hosted scripts loaded without subresource integrity hashes, are both covered by this category.

A09

Security Logging and Monitoring Failures

Applications that do not log security-relevant events — authentication attempts, access control failures, input validation errors — cannot detect attacks in progress or reconstruct what happened during a breach. The Verizon DBIR consistently shows that most breaches take months to detect, during which the attacker operates freely. Missing logging is a direct contributor to that dwell time.

What must be logged: every authentication attempt (success and failure) with username and source IP, every access control failure with the requested resource, every input validation failure, every high-value transaction. What must not be logged: passwords, session tokens, credit card numbers, PII. Logging sensitive data in plaintext is itself a security failure — breaches of log files have exposed credentials exactly this way.

Testing approach: Attempt a brute force against the login — then check whether any alert was generated. Try to access a forbidden resource — then check whether the access control failure was logged. If neither produced a log entry, the application has a logging failure that belongs in the report.

A10

Server-Side Request Forgery (SSRF)

New in 2021

SSRF occurs when a web application fetches a remote resource based on a URL supplied by the user — and does not validate or restrict what URLs are permitted. An attacker can supply an internal IP address or a cloud metadata endpoint URL, causing the server to make the request on their behalf. The server trusts itself and its internal network, so SSRF effectively turns the application into a proxy for reaching internal systems that should never be reachable from the internet.

The Capital One breach used SSRF against the AWS metadata endpoint at 169.254.169.254 — a special IP that returns temporary credentials for the IAM role attached to the running instance. In cloud environments, SSRF to the metadata endpoint is a critical finding that can expose cloud credentials and entire cloud account access. AWS now requires IMDSv2 by default, which makes this specific attack path significantly harder — but SSRF to internal services remains a valid and frequent finding.

How the OWASP Top 10 maps to this course

Six of the remaining lessons in Section IV each target a specific OWASP category. The table below maps where each Top 10 risk is covered.

OWASP TOP 10 → LESSON MAP
ID Risk Covered in
A01 Broken Access Control Lesson 40
A02 Cryptographic Failures This lesson
A03 Injection (SQL Injection) Lesson 38
A04 Insecure Design This lesson
A05 Security Misconfiguration Section III
A06 Vulnerable Components This lesson
A07 Authentication Failures Lesson 40
A08 Software Integrity Failures L28 + this lesson
A09 Logging and Monitoring Failures This lesson
A10 Server-Side Request Forgery Lesson 43

What the Top 10 does not cover — and why that matters

The OWASP Top 10 is frequently misused as a complete web security checklist — "we checked all ten, we are secure." That misunderstanding causes real harm. The Top 10 covers the most common risk categories based on prevalence data from real assessments. It does not cover every vulnerability class, it does not weight findings by severity in a specific application context, and it explicitly acknowledges this in its own documentation.

Business logic vulnerabilities — flaws in the application's own rules rather than in generic security mechanisms — are consistently underrepresented in the Top 10 because they are application-specific and do not produce generalised data across assessments. An e-commerce application that allows a negative quantity in the shopping cart, effectively paying the user for a product, is a business logic flaw. A banking application whose transfer process can be interrupted after funds leave the source account but before they arrive at the destination is a business logic flaw. These are often the highest-impact findings in an assessment precisely because they exploit functionality the developers thought was working correctly.

Race conditions — two concurrent requests that each succeed because the application does not account for simultaneous execution — are similarly underrepresented. A gift card redemption endpoint that does not lock the card record during processing can be hit simultaneously from two threads, redeeming the same card twice. Burp Suite's Turbo Intruder extension is specifically designed to send perfectly timed concurrent requests for race condition testing. These vulnerabilities require an attacker who thinks carefully about the application's intended behaviour rather than one who runs generic attack tools.

Using the OWASP Top 10 in a pen test

The Top 10 is most useful in two ways during an engagement. First, as a structured checklist for ensuring coverage — every web application assessment should at minimum test for each of the ten categories. Second, as a communication framework in reports — a client who has never seen a pen test report before understands "this is an OWASP Top 10 finding" as shorthand for "this is a well-known, well-documented risk class with established defences."

The most practical use is the OWASP Testing Guide — a companion document to the Top 10 that provides specific test cases, payloads, and expected results for each category. The Testing Guide is not as well-known as the Top 10 but is far more operationally useful during an assessment. It is free at owasp.org and should be in every web pen tester's reference library. The Web Security Academy at portswigger.net/web-security provides hands-on labs that directly correspond to the Top 10 categories — working through them before starting client assessments builds the muscle memory needed to find these issues quickly under time pressure.

Teacher's Note: The most important thing to take from this lesson is that Broken Access Control reaching #1 in 2021 reflects a fundamental shift in how web applications are built. Single-page applications and mobile apps that call APIs have proliferated access control checks across dozens of endpoints — and developers miss them consistently. Every API endpoint that returns data must independently verify the caller is authorised to access that specific data. Centralised authentication does not guarantee that authorisation is checked at every resource.

Quiz

Scenario:

A pen tester logs into a web application as a standard user. Their profile page URL is /profile?user_id=4821. They change the URL to /profile?user_id=4822 and the page loads showing another user's full name, email address, and order history — without any error or redirect. They are still logged in as their own account. Which OWASP Top 10 category does this represent and what is the specific sub-type of the vulnerability?

Scenario:

A banking application's password reset flow works as follows: the user enters their email, receives a 4-digit numeric PIN, and enters it to reset their password. The PIN is valid for 10 minutes. A pen tester writes a script that tries all 10,000 possible PIN values within the validity window and successfully resets an account's password without access to the victim's email. The developer argues this is just a rate limiting bug that can be fixed with a patch. The pen tester disagrees — they classify it as a different, more serious category. Which OWASP category applies and why?

Scenario:

A pen tester is testing a web application that allows users to enter a URL for a "website preview" feature. They enter http://169.254.169.254/latest/meta-data/iam/security-credentials/ as the URL. The application fetches it and displays the response — which contains temporary AWS access keys, a secret key, and a session token for the IAM role attached to the application server. The pen tester now has cloud account credentials. Which OWASP Top 10 category does this represent?

Up Next · Lesson 38

SQL Injection

How SQL injection works from first principles, manually crafting payloads in Burp Repeater, sqlmap for automation, and how parameterised queries eliminate the vulnerability entirely.

← Previous Course Index Next →