{"id":54274,"date":"2025-11-30T18:16:28","date_gmt":"2025-11-30T18:16:28","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=54274"},"modified":"2025-11-30T18:16:28","modified_gmt":"2025-11-30T18:16:28","slug":"owasp-top-10-complete-in-depth-guide","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/owasp-top-10-complete-in-depth-guide\/","title":{"rendered":"OWASP TOP 10 \u2014 COMPLETE IN-DEPTH GUIDE"},"content":{"rendered":"\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83d\udcd8 <strong>OWASP TOP 10 \u2014 COMPLETE IN-DEPTH GUIDE (BASIC \u2192 ADVANCED)<\/strong><\/h1>\n\n\n\n<h3 class=\"wp-block-heading\">Covers all 10 categories with:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Fundamentals<\/li>\n\n\n\n<li>Root causes<\/li>\n\n\n\n<li>Architecture-level impact<\/li>\n\n\n\n<li>Threat modeling view<\/li>\n\n\n\n<li>Business impact<\/li>\n\n\n\n<li>Developer mistakes<\/li>\n\n\n\n<li>Defensive patterns<\/li>\n\n\n\n<li>Testing &amp; exploitation techniques<\/li>\n\n\n\n<li>Tools<\/li>\n\n\n\n<li>Real examples<\/li>\n\n\n\n<li>.NET Core perspective (when relevant)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83d\udd25 <strong>A01 \u2014 BROKEN ACCESS CONTROL<\/strong><\/h1>\n\n\n\n<p>The #1 risk because access control failures appear in <strong>over 90%<\/strong> of tested applications.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>1. What It Is<\/strong><\/h2>\n\n\n\n<p>Access Control = Who can do <em>what<\/em> in the system.<\/p>\n\n\n\n<p>Broken Access Control occurs when:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Users access data they shouldn&#8217;t<\/li>\n\n\n\n<li>Users perform actions they shouldn\u2019t<\/li>\n\n\n\n<li>Unauthorized internal access is possible<\/li>\n\n\n\n<li>Server trusts client-side enforcement<\/li>\n\n\n\n<li>Object-level access is not checked<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>2. Real-world Examples<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>User modifies <code>\/profile?id=2345<\/code> \u2192 sees another user&#8217;s account<\/li>\n\n\n\n<li>Regular user calling an admin API <code>\/admin\/deleteUser?id=999<\/code><\/li>\n\n\n\n<li>Hidden buttons removed in UI but API still accessible<\/li>\n\n\n\n<li>File download endpoint leaks sensitive files<\/li>\n\n\n\n<li>SSRF (2021 separate category) enabling access to internal metadata server (now treated as access control failure)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>3. Types of Access Control Failures<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>3.1 Horizontal Privilege Escalation<\/strong><\/h3>\n\n\n\n<p>Accessing <em>another<\/em> user&#8217;s data.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>3.2 Vertical Privilege Escalation<\/strong><\/h3>\n\n\n\n<p>Non-admin performing <strong>admin-level functions<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>3.3 Context Bypass<\/strong><\/h3>\n\n\n\n<p>Skipping steps:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reset password without previous verification<\/li>\n\n\n\n<li>Accessing protected resources directly<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>3.4 Broken Object-Level Authorization (BOLA)<\/strong><\/h3>\n\n\n\n<p>Most common in APIs.<br>Example: <code>\/api\/users\/4\/settings<\/code> accessible by user 1.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>4. Root Causes<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>No server-side authorization checks<\/li>\n\n\n\n<li>Using IDs directly from client input<\/li>\n\n\n\n<li>Relying on UI to hide privileged actions<\/li>\n\n\n\n<li>Over-trusting JWT claims or client-side roles<\/li>\n\n\n\n<li>Misconfigured frameworks<\/li>\n\n\n\n<li>No policy-based access control<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>5. Impact<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Data breach<\/li>\n\n\n\n<li>Account takeover<\/li>\n\n\n\n<li>Unauthorized overdraft\/money transfer<\/li>\n\n\n\n<li>Full system compromise via SSRF or internal resource access<\/li>\n\n\n\n<li>Regulatory\/legal impact (GDPR, HIPAA)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>6. Defensive Design (Advanced)<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>6.1 Use Policy-based Authorization<\/strong><\/h3>\n\n\n\n<p>ASP.NET Core:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Authorization policies<\/li>\n\n\n\n<li>Claims-based roles<\/li>\n\n\n\n<li>Resource-based authorization handlers<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>6.2 Enforce Access Control at Server-Side Only<\/strong><\/h3>\n\n\n\n<p>Never trust:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hidden HTML fields<\/li>\n\n\n\n<li>Disabled buttons<\/li>\n\n\n\n<li>Client-side JWT contents<\/li>\n\n\n\n<li>Client role values<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>6.3 Dynamic Authorization<\/strong><\/h3>\n\n\n\n<p>ACL checks based on:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resource owner<\/li>\n\n\n\n<li>Business logic<\/li>\n\n\n\n<li>Environmental conditions (IP, device fingerprint)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>6.4 Avoid Direct Object References<\/strong><\/h3>\n\n\n\n<p>Use:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>UUIDs<\/li>\n\n\n\n<li>Hashed IDs<\/li>\n\n\n\n<li>Server-mapped opaque tokens<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>6.5 Enforce Least Privilege<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Role explosion is a red flag<\/li>\n\n\n\n<li>Use fine-grained policies<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>7. How Attackers Test It<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Changing IDs manually (<code>?id=1 \u2192 2 \u2192 3<\/code>)<\/li>\n\n\n\n<li>Checking admin endpoints directly<\/li>\n\n\n\n<li>Modifying JWT claims<\/li>\n\n\n\n<li>Using Burp: Access Control Testing module<\/li>\n\n\n\n<li>Disabling JS and accessing actions<\/li>\n\n\n\n<li>Fuzzing API parameters<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>8. Tools<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Burp Suite Access Control Testing<\/li>\n\n\n\n<li>OWASP ZAP<\/li>\n\n\n\n<li>Postman + Fuzzer<\/li>\n\n\n\n<li>Authz Analyzer<\/li>\n\n\n\n<li>ASP.NET Core Authorization Analyzer<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83d\udd25 <strong>A02 \u2014 CRYPTOGRAPHIC FAILURES<\/strong><\/h1>\n\n\n\n<p>Failures in <strong>encryption, hashing, key management, TLS, secrets storage<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>1. What It Is<\/strong><\/h2>\n\n\n\n<p>Occurs when sensitive data is:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Not encrypted<\/li>\n\n\n\n<li>Encrypted with weak algorithms<\/li>\n\n\n\n<li>Mishandled (keys in code, wrong IVs, same salts)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>2. Examples<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>No HTTPS<\/li>\n\n\n\n<li>Storing passwords in plaintext<\/li>\n\n\n\n<li>Using MD5 \/ SHA1<\/li>\n\n\n\n<li>Hardcoded encryption keys checked into Git<\/li>\n\n\n\n<li>Using ECB mode<\/li>\n\n\n\n<li>Weak JWT signing key<\/li>\n\n\n\n<li>Missing \u201csecure\u201d &amp; \u201cHttpOnly\u201d flags on cookies<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>3. Sensitive Data Types<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Personal data (PII)<\/li>\n\n\n\n<li>Financial data<\/li>\n\n\n\n<li>Session tokens<\/li>\n\n\n\n<li>Health records<\/li>\n\n\n\n<li>Credentials<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>4. Root Causes<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Developers \u201crolling their own crypto\u201d<\/li>\n\n\n\n<li>Misconfigured TLS<\/li>\n\n\n\n<li>Weak key rotation<\/li>\n\n\n\n<li>Poor randomness sources<\/li>\n\n\n\n<li>Using outdated libraries<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>5. Prevention (Advanced)<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>5.1 Never build your own cryptography<\/strong><\/h3>\n\n\n\n<p>Use:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>.NET Data Protection API<\/li>\n\n\n\n<li>Microsoft Cryptography Libraries<\/li>\n\n\n\n<li>AWS Secrets Manager \/ Azure Key Vault<\/li>\n\n\n\n<li>libsodium<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>5.2 Enforce TLS everywhere<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>TLS 1.2\/1.3 only<\/li>\n\n\n\n<li>Disable weak ciphers and renegotiation<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>5.3 Strong Hashing<\/strong><\/h3>\n\n\n\n<p>Use PBKDF2, bcrypt, scrypt, Argon2.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>5.4 Proper Key Management<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>No keys in code<\/li>\n\n\n\n<li>No keys in config files<\/li>\n\n\n\n<li>Store keys in Vault<\/li>\n\n\n\n<li>Rotate keys regularly<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>6. Testing Methods<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SSL Labs test<\/li>\n\n\n\n<li>Burp Suite passive scan<\/li>\n\n\n\n<li>Checking TLS headers<\/li>\n\n\n\n<li>Testing entropy of secrets<\/li>\n\n\n\n<li>Checking for plaintext storage<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83d\udd25 <strong>A03 \u2014 INJECTION<\/strong><\/h1>\n\n\n\n<p>One of the oldest and most dangerous classes.<\/p>\n\n\n\n<p>Includes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SQL Injection<\/li>\n\n\n\n<li>NoSQL Injection<\/li>\n\n\n\n<li>Command Injection<\/li>\n\n\n\n<li>OS Injection<\/li>\n\n\n\n<li>LDAP Injection<\/li>\n\n\n\n<li>XSS (folded under injection since 2021)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>1. What It Is<\/strong><\/h2>\n\n\n\n<p>Untrusted input is interpreted as <strong>code<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>2. Examples<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>'; DROP TABLE users --<\/code><\/li>\n\n\n\n<li>XSS: <code>&lt;script>alert('x')&lt;\/script><\/code><\/li>\n\n\n\n<li>Command injection: <code>; rm -rf \/<\/code><\/li>\n\n\n\n<li>MongoDB injection: <code>{ $ne: null }<\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>3. Causes<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>String concatenation<\/li>\n\n\n\n<li>Unsafe deserialization<\/li>\n\n\n\n<li><code>eval()<\/code> usage<\/li>\n\n\n\n<li>Raw SQL queries<\/li>\n\n\n\n<li>Template injection<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>4. Prevention<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>4.1 Parameterized Queries<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Entity Framework<\/li>\n\n\n\n<li>Dapper<\/li>\n\n\n\n<li>ADO.NET parameterized SQL<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>4.2 Output Encoding<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>HTML encode<\/li>\n\n\n\n<li>JavaScript encode<\/li>\n\n\n\n<li>URL encode<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>4.3 Content Security Policy (CSP)<\/strong><\/h3>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>4.4 Disable Dangerous APIs<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>eval()<\/li>\n\n\n\n<li>reflection-based injection<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>5. Testing<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Fuzz input<\/li>\n\n\n\n<li>Automated scanners<\/li>\n\n\n\n<li>SQLmap<\/li>\n\n\n\n<li>NoSQLMap<\/li>\n\n\n\n<li>Burp Intruder<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83d\udd25 <strong>A04 \u2014 INSECURE DESIGN<\/strong><\/h1>\n\n\n\n<p>Not a bug. A <strong>systemic failure<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>1. What It Is<\/strong><\/h2>\n\n\n\n<p>Design issues that no implementation patch can fix.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>2. Examples<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>No rate limiting on login \u2192 brute force attacks<\/li>\n\n\n\n<li>Architecture trusting client-side logic<\/li>\n\n\n\n<li>Money transfer flow missing verification<\/li>\n\n\n\n<li>No threat model<\/li>\n\n\n\n<li>No secure workflow<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>3. Causes<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>No security requirements<\/li>\n\n\n\n<li>No secure-by-design approach<\/li>\n\n\n\n<li>Lack of architecture reviews<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>4. Prevention<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Threat modeling (STRIDE, Attack Trees)<\/li>\n\n\n\n<li>Use ASVS as design requirements<\/li>\n\n\n\n<li>Defense in depth<\/li>\n\n\n\n<li>Secure design reviews<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83d\udd25 <strong>A05 \u2014 SECURITY MISCONFIGURATION<\/strong><\/h1>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>1. What It Is<\/strong><\/h2>\n\n\n\n<p>Errors in deployment or environment configuration.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Examples<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Debug mode enabled<\/li>\n\n\n\n<li>Default credentials<\/li>\n\n\n\n<li>Public S3 bucket<\/li>\n\n\n\n<li>Missing security headers<\/li>\n\n\n\n<li>Verbose error messages<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Advanced Prevention<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Infrastructure-as-Code (IaC)<\/li>\n\n\n\n<li>CIS benchmarks<\/li>\n\n\n\n<li>Zero-trust network configs<\/li>\n\n\n\n<li>Use container image scanning<\/li>\n\n\n\n<li>Disable unused features<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83d\udd25 <strong>A06 \u2014 VULNERABLE &amp; OUTDATED COMPONENTS<\/strong><\/h1>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>1. What It Is<\/strong><\/h2>\n\n\n\n<p>Using:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Outdated frameworks<\/li>\n\n\n\n<li>Libraries with CVEs<\/li>\n\n\n\n<li>Unsupported operating systems<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>2. Prevention<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Automated SCA tools (Snyk, Dependabot, Whitesource)<\/li>\n\n\n\n<li>Patch management policy<\/li>\n\n\n\n<li>Maintain SBOM (CycloneDX)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83d\udd25 <strong>A07 \u2014 IDENTIFICATION &amp; AUTHENTICATION FAILURES<\/strong><\/h1>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>1. What It Is<\/strong><\/h2>\n\n\n\n<p>Flaws in login, identity, session management.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Examples<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>No MFA<\/li>\n\n\n\n<li>Weak password reset flows<\/li>\n\n\n\n<li>Session IDs exposed<\/li>\n\n\n\n<li>JWT signed with weak key<\/li>\n\n\n\n<li>No brute-force protection<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Advanced Prevention<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Implement MFA<\/li>\n\n\n\n<li>Secure password reset flows<\/li>\n\n\n\n<li>Rotate session tokens<\/li>\n\n\n\n<li>Disable predictable IDs<\/li>\n\n\n\n<li>Short-lived JWTs + refresh tokens<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83d\udd25 <strong>A08 \u2014 SOFTWARE &amp; DATA INTEGRITY FAILURES<\/strong><\/h1>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>1. What It Is<\/strong><\/h2>\n\n\n\n<p>Trusting:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Unverified updates<\/li>\n\n\n\n<li>Untrusted data sources<\/li>\n\n\n\n<li>Dependency tampering<\/li>\n\n\n\n<li>Insecure deserialization<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Protection<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Signed updates<\/li>\n\n\n\n<li>Signed packages<\/li>\n\n\n\n<li>Hash verification<\/li>\n\n\n\n<li>Disallow binary deserialization<\/li>\n\n\n\n<li>Protect CI\/CD pipelines<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83d\udd25 <strong>A09 \u2014 LOGGING &amp; MONITORING FAILURES<\/strong><\/h1>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>1. What It Is<\/strong><\/h2>\n\n\n\n<p>Security events not logged or not alerted on.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Examples<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>No logs for failed logins<\/li>\n\n\n\n<li>No alerts for access control violations<\/li>\n\n\n\n<li>Logs not protected<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Best Practices<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Centralized logging (ELK \/ Splunk \/ SIEM)<\/li>\n\n\n\n<li>Correlation IDs<\/li>\n\n\n\n<li>Audit trails<\/li>\n\n\n\n<li>Real-time alerting<\/li>\n\n\n\n<li>Protect logs from tampering<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83d\udd25 <strong>A10 \u2014 SERVER-SIDE REQUEST FORGERY (SSRF)<\/strong><\/h1>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>1. What It Is<\/strong><\/h2>\n\n\n\n<p>App makes HTTP requests to arbitrary URLs <strong>based on user input<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Attack Impact<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Read internal metadata endpoint<\/li>\n\n\n\n<li>Pivot into internal networks<\/li>\n\n\n\n<li>Access AWS\/Azure instance metadata<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Prevention<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Allowlist outbound URLs<\/li>\n\n\n\n<li>Disable internal metadata endpoints<\/li>\n\n\n\n<li>Network segmentation<\/li>\n\n\n\n<li>Avoid dynamic URLs controlled by users<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\ud83d\udcd8 OWASP TOP 10 \u2014 COMPLETE IN-DEPTH GUIDE (BASIC \u2192 ADVANCED) Covers all 10 categories with: \ud83d\udd25 A01 \u2014 BROKEN ACCESS CONTROL The #1 risk because access control failures appear&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[11138],"tags":[],"class_list":["post-54274","post","type-post","status-publish","format-standard","hentry","category-best-tools"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/54274","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=54274"}],"version-history":[{"count":1,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/54274\/revisions"}],"predecessor-version":[{"id":54275,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/54274\/revisions\/54275"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=54274"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=54274"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=54274"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}