Security (OWASP Top 10)

Definition: Users can access data or perform actions they’re not authorized to.

Example: A regular user changes /user/101 to /admin in the URL and sees admin-only pages.

Impact: Attackers escalate privileges, steal data, or manipulate critical settings.

Mitigation: Implement Role-Based Access Control (RBAC), verity access at every level, and use server side checks for authentication.

Definition: Sensitive data is exposed due to weak or missing encryption.

Example: Storing passwords in plain text instead of hashing.

Impact: Leads to data breaches, credential theft, and regulatory fines (GDPR, HIPAA).

Mitigation: Always use TLS (HTTPS), hash passwords with bcrypt/Argon2/sha512, and encrypt sensitive data at rest and in transit.

Definition: Untrusted input is treated as code or a command.

Example: OR '1'='1 in a login form bypasses authentication (SQL Injection).

Impact: Full database compromise, data leakage, remote code execution.

Mitigation: Use prepared statements / parameterized queries, validate inputs, and avoid string concatenation in queries.

Definition: Security flaws exist at the architectural level.

Example: Banking app allows unlimited login attempts without account lockout → brute force possible.

Impact: Increases attack surface, leads to predictable weaknesses.

Mitigation: Apply secure design principles, add rate limiting, account lockouts, and adopt threat modeling early in development.

Definition: Incorrect or default security settings make systems unsafe.

Example: Admin panel at /admin with username: “admin” / password: “admin123.”

Impact: Easy exploitation, unauthorized access, malware installation.

Mitigation: Change default configs, disable unused features, and perform regular configuration audits.

Definition: Using old/unpatched software, libraries, or plugins.

Example: Website running outdated WordPress with known file upload exploit.

Impact: Attackers leverage known CVEs to gain access or inject malware.

Mitigation: Keep frameworks, libraries, and OS updated, remove unnecessary dependencies, and monitor CVE/NVD databases.

Definition: Weak authentication, login flaws, or poor session management.

Example: Unlimited login attempts allowed without blocking brute force.

Impact: Account takeover, identity theft, privilege escalation.

Mitigation: Use multi-factor authentication (MFA), enforce strong passwords, limit failed attempts, and secure session tokens.

Definition: Untrusted or unverified code, updates, or supply chain issues.

Example: App updates itself from an unverified server → attacker injects malicious code.

Impact: Supply chain compromise (e.g., SolarWinds breach).

Mitigation: Verify digital signatures, use trusted repositories, and implement integrity checks.

Definition: Attacks go undetected due to poor or missing logging.

Example: Thousands of brute-force attempts happen, but system logs nothing and alerts no one.

Impact: Delayed or no response to breaches, compliance violations.

Mitigation: Enable detailed logging, set up alerts/monitoring, and use SIEM solutions for real-time detection.

Definition: Attacker tricks the server into making requests to other systems.

Example: User submits a URL → server fetches http://localhost/admin, exposing internal services.

Impact: Internal network exposure, remote code execution, sensitive data leaks.

Mitigation: Validate and sanitize input, block internal requests, and use domain allowlists.