---

📘 OWASP TOP 10 — COMPLETE IN-DEPTH GUIDE (BASIC → ADVANCED)

Covers all 10 categories with:

• Fundamentals
• Root causes
• Architecture-level impact
• Threat modeling view
• Business impact
• Developer mistakes
• Defensive patterns
• Testing & exploitation techniques
• Tools
• Real examples
• .NET Core perspective (when relevant)

---

🔥 A01 — BROKEN ACCESS CONTROL

The #1 risk because access control failures appear in over 90% of tested applications.

---

1. What It Is

Access Control = Who can do what in the system.

Broken Access Control occurs when:

• Users access data they shouldn’t
• Users perform actions they shouldn’t
• Unauthorized internal access is possible
• Server trusts client-side enforcement
• Object-level access is not checked

---

2. Real-world Examples

• User modifies /profile?id=2345 → sees another user’s account
• Regular user calling an admin API /admin/deleteUser?id=999
• Hidden buttons removed in UI but API still accessible
• File download endpoint leaks sensitive files
• SSRF (2021 separate category) enabling access to internal metadata server (now treated as access control failure)

---

3. Types of Access Control Failures

3.1 Horizontal Privilege Escalation

Accessing another user’s data.

3.2 Vertical Privilege Escalation

Non-admin performing admin-level functions.

3.3 Context Bypass

Skipping steps:

• Reset password without previous verification
• Accessing protected resources directly

3.4 Broken Object-Level Authorization (BOLA)

Most common in APIs.
Example: /api/users/4/settings accessible by user 1.

---

4. Root Causes

• No server-side authorization checks
• Using IDs directly from client input
• Relying on UI to hide privileged actions
• Over-trusting JWT claims or client-side roles
• Misconfigured frameworks
• No policy-based access control

---

5. Impact

• Data breach
• Account takeover
• Unauthorized overdraft/money transfer
• Full system compromise via SSRF or internal resource access
• Regulatory/legal impact (GDPR, HIPAA)

---

6. Defensive Design (Advanced)

6.1 Use Policy-based Authorization

ASP.NET Core:

• Authorization policies
• Claims-based roles
• Resource-based authorization handlers

6.2 Enforce Access Control at Server-Side Only

Never trust:

• Hidden HTML fields
• Disabled buttons
• Client-side JWT contents
• Client role values

6.3 Dynamic Authorization

ACL checks based on:

• Resource owner
• Business logic
• Environmental conditions (IP, device fingerprint)

6.4 Avoid Direct Object References

Use:

• UUIDs
• Hashed IDs
• Server-mapped opaque tokens

6.5 Enforce Least Privilege

• Role explosion is a red flag
• Use fine-grained policies

---

7. How Attackers Test It

• Changing IDs manually (?id=1 → 2 → 3)
• Checking admin endpoints directly
• Modifying JWT claims
• Using Burp: Access Control Testing module
• Disabling JS and accessing actions
• Fuzzing API parameters

---

8. Tools

• Burp Suite Access Control Testing
• OWASP ZAP
• Postman + Fuzzer
• Authz Analyzer
• ASP.NET Core Authorization Analyzer

---

---

🔥 A02 — CRYPTOGRAPHIC FAILURES

Failures in encryption, hashing, key management, TLS, secrets storage.

---

1. What It Is

Occurs when sensitive data is:

• Not encrypted
• Encrypted with weak algorithms
• Mishandled (keys in code, wrong IVs, same salts)

---

2. Examples

• No HTTPS
• Storing passwords in plaintext
• Using MD5 / SHA1
• Hardcoded encryption keys checked into Git
• Using ECB mode
• Weak JWT signing key
• Missing “secure” & “HttpOnly” flags on cookies

---

3. Sensitive Data Types

• Personal data (PII)
• Financial data
• Session tokens
• Health records
• Credentials

---

4. Root Causes

• Developers “rolling their own crypto”
• Misconfigured TLS
• Weak key rotation
• Poor randomness sources
• Using outdated libraries

---

5. Prevention (Advanced)

5.1 Never build your own cryptography

Use:

• .NET Data Protection API
• Microsoft Cryptography Libraries
• AWS Secrets Manager / Azure Key Vault
• libsodium

5.2 Enforce TLS everywhere

• TLS 1.2/1.3 only
• Disable weak ciphers and renegotiation

5.3 Strong Hashing

Use PBKDF2, bcrypt, scrypt, Argon2.

5.4 Proper Key Management

• No keys in code
• No keys in config files
• Store keys in Vault
• Rotate keys regularly

---

6. Testing Methods

• SSL Labs test
• Burp Suite passive scan
• Checking TLS headers
• Testing entropy of secrets
• Checking for plaintext storage

---

---

🔥 A03 — INJECTION

One of the oldest and most dangerous classes.

Includes:

• SQL Injection
• NoSQL Injection
• Command Injection
• OS Injection
• LDAP Injection
• XSS (folded under injection since 2021)

---

1. What It Is

Untrusted input is interpreted as code.

---

2. Examples

• '; DROP TABLE users --
• XSS: <script>alert('x')</script>
• Command injection: ; rm -rf /
• MongoDB injection: { $ne: null }

---

3. Causes

• String concatenation
• Unsafe deserialization
• eval() usage
• Raw SQL queries
• Template injection

---

4. Prevention

4.1 Parameterized Queries

• Entity Framework
• Dapper
• ADO.NET parameterized SQL

4.2 Output Encoding

• HTML encode
• JavaScript encode
• URL encode

4.3 Content Security Policy (CSP)

4.4 Disable Dangerous APIs

• eval()
• reflection-based injection

---

5. Testing

• Fuzz input
• Automated scanners
• SQLmap
• NoSQLMap
• Burp Intruder

---

---

🔥 A04 — INSECURE DESIGN

Not a bug. A systemic failure.

---

1. What It Is

Design issues that no implementation patch can fix.

---

2. Examples

• No rate limiting on login → brute force attacks
• Architecture trusting client-side logic
• Money transfer flow missing verification
• No threat model
• No secure workflow

---

3. Causes

• No security requirements
• No secure-by-design approach
• Lack of architecture reviews

---

4. Prevention

• Threat modeling (STRIDE, Attack Trees)
• Use ASVS as design requirements
• Defense in depth
• Secure design reviews

---

---

🔥 A05 — SECURITY MISCONFIGURATION

---

1. What It Is

Errors in deployment or environment configuration.

---

Examples

• Debug mode enabled
• Default credentials
• Public S3 bucket
• Missing security headers
• Verbose error messages

---

Advanced Prevention

• Infrastructure-as-Code (IaC)
• CIS benchmarks
• Zero-trust network configs
• Use container image scanning
• Disable unused features

---

---

🔥 A06 — VULNERABLE & OUTDATED COMPONENTS

---

1. What It Is

Using:

• Outdated frameworks
• Libraries with CVEs
• Unsupported operating systems

---

2. Prevention

• Automated SCA tools (Snyk, Dependabot, Whitesource)
• Patch management policy
• Maintain SBOM (CycloneDX)

---

---

🔥 A07 — IDENTIFICATION & AUTHENTICATION FAILURES

---

1. What It Is

Flaws in login, identity, session management.

---

Examples

• No MFA
• Weak password reset flows
• Session IDs exposed
• JWT signed with weak key
• No brute-force protection

---

Advanced Prevention

• Implement MFA
• Secure password reset flows
• Rotate session tokens
• Disable predictable IDs
• Short-lived JWTs + refresh tokens

---

---

🔥 A08 — SOFTWARE & DATA INTEGRITY FAILURES

---

1. What It Is

Trusting:

• Unverified updates
• Untrusted data sources
• Dependency tampering
• Insecure deserialization

---

Protection

• Signed updates
• Signed packages
• Hash verification
• Disallow binary deserialization
• Protect CI/CD pipelines

---

---

🔥 A09 — LOGGING & MONITORING FAILURES

---

1. What It Is

Security events not logged or not alerted on.

---

Examples

• No logs for failed logins
• No alerts for access control violations
• Logs not protected

---

Best Practices

• Centralized logging (ELK / Splunk / SIEM)
• Correlation IDs
• Audit trails
• Real-time alerting
• Protect logs from tampering

---

---

🔥 A10 — SERVER-SIDE REQUEST FORGERY (SSRF)

---

1. What It Is

App makes HTTP requests to arbitrary URLs based on user input.

---

Attack Impact

• Read internal metadata endpoint
• Pivot into internal networks
• Access AWS/Azure instance metadata

---

Prevention

• Allowlist outbound URLs
• Disable internal metadata endpoints
• Network segmentation
• Avoid dynamic URLs controlled by users

---

---