OWASP Top 10 Workshop

Introduction to Web Application Security

Completed

Web application security is a critical aspect of modern software development. As businesses continue to move services online, the attack surface of web applications increases, making them prime targets for malicious actors. Understanding and addressing key security vulnerabilities is essential for developers, security professionals, and IT managers.

Why Web Security Matters

Security breaches can lead to serious consequences including:

Data theft and privacy violations
Financial loss
Damage to business reputation
Legal and regulatory penalties
Loss of customer trust

Real-World Impact

In recent years, major data breaches have exposed billions of user records. Companies have faced fines in the hundreds of millions of dollars for failing to protect user data. Security is not just a technical issue—it's a business imperative.

About the OWASP Top 10

The OWASP Top 10 is a regularly updated list of the most critical web application security risks. It is developed by a team of security experts from around the world and represents a consensus on the most significant vulnerabilities that organizations should address.

The current OWASP Top 10 (2021) includes:

Broken Access Control - Restrictions on authenticated users are not properly enforced
Cryptographic Failures - Failures related to cryptography that often lead to sensitive data exposure
Injection - User-supplied data is not validated, filtered, or sanitized by the application
Insecure Design - Flaws related to design and architectural security flaws
Security Misconfiguration - Improperly configured application security settings
Vulnerable and Outdated Components - Using components with known vulnerabilities
Identification and Authentication Failures - Authentication and session management implementations that allow attackers to compromise passwords or keys
Software and Data Integrity Failures - Code and infrastructure that does not protect against integrity violations
Security Logging and Monitoring Failures - Insufficient logging and monitoring to detect attacks
Server-Side Request Forgery (SSRF) - Web applications fetching remote resources without validating the user-supplied URL

Workshop Structure

For each vulnerability in the OWASP Top 10, this workshop will provide:

A detailed explanation of the vulnerability
Real-world examples of the vulnerability in action
Interactive demonstrations to see the vulnerability firsthand
Practical mitigation techniques and secure coding practices
Hands-on exercises to test your understanding
Quizzes to reinforce key concepts

Getting the Most from This Workshop

For the best learning experience:

Complete each module in order
Try to solve the exercises before looking at the solutions
Apply what you learn to review code in your own projects
Use the provided resources for deeper understanding

Quick Check: Introduction Question 1 of 3

What is the primary purpose of the OWASP Top 10?

To raise awareness about the most critical web application security risks
To provide a comprehensive list of all possible web vulnerabilities
To serve as a legal compliance framework for organizations
To rank web application frameworks by their security features

Correct! The OWASP Top 10 is an awareness document that represents a broad consensus about the most critical security risks to web applications. It's designed to raise awareness and change the software development culture to produce more secure code.

A01: Broken Access Control

Completed

Broken Access Control is the most common and impactful vulnerability according to the OWASP Top 10 (2021). Access control enforces policy such that users cannot act outside of their intended permissions. Failures in access control lead to unauthorized information disclosure, modification, or destruction of data, or performing unauthorized business functions.

Broken Access Control

High Risk

Broken access control occurs when application functions or data are not protected with proper authorization checks, allowing attackers to access data or perform actions they shouldn't be able to do.

Example: A user can access another user's account or admin pages by simply changing a parameter in the URL.

Common Prevention Methods:

Implement proper authorization checks for each request
Use a centralized access control mechanism
Deny access by default (whitelist approach)
Implement proper session management
Disable directory listing on servers

Common Broken Access Control Vulnerabilities

Vertical Privilege Escalation

Horizontal Privilege Escalation

IDOR

Vertical Privilege Escalation

Vertical privilege escalation occurs when a user can access functionality they shouldn't have access to, such as administrative features or functions intended for higher-privileged users.

Example Vulnerability

Consider a web application where normal users access their dashboard at /user/dashboard and administrators access their dashboard at /admin/dashboard. If the application only checks the URL path without verifying the user's role, a regular user might access the admin dashboard by simply navigating to the admin URL.

                                    // Vulnerable code - only checks the URL pattern, not the user's role

                                    app.get('/admin/dashboard', (req, res) => {

                                      // No authorization check!

                                      res.render('admin-dashboard');

                                    });

                                    // Secure code - checks if the user has admin role

                                    app.get('/admin/dashboard', (req, res) => {

                                      if (!req.user || req.user.role !== 'admin') {

                                        return res.status(403).send('Access Denied');

                                      }

                                      res.render('admin-dashboard');

                                    });

Practical Exercise

Let's practice identifying broken access control vulnerabilities. Below is a simplified web application interface. Try to identify the access control issues.

Example Web Application

Current URL:

Try a different URL:

Knowledge Check: Broken Access Control Question 1 of 3

Which of the following is NOT a typical mitigation for broken access control vulnerabilities?

Implementing role-based access control (RBAC)
Verifying user permissions for each request
Using client-side validation to restrict access to sensitive functions
Denying access by default and using a whitelist approach

Correct! Client-side validation is not a reliable mitigation for access control, as it can be easily bypassed by attackers. All access control checks should be implemented on the server-side where they cannot be tampered with by end users.

A02: Cryptographic Failures

Completed

Cryptographic failures refer to weaknesses in the implementation, usage, or management of cryptographic systems. These failures can lead to sensitive data exposure, allowing attackers to access protected information such as credentials, personal data, health records, or business secrets.

Cryptographic Failures

High Risk

Cryptographic failures occur when data that should be encrypted is transmitted or stored in clear text, when weak cryptographic algorithms are used, or when cryptographic keys are mismanaged.

Example: A web application transmits sensitive data like credit card numbers over HTTP instead of HTTPS, allowing attackers to intercept this information.

Common Prevention Methods:

Use strong, up-to-date cryptographic algorithms
Implement proper key management
Encrypt data both in transit and at rest
Disable older, vulnerable protocols
Verify independently the effectiveness of configuration and settings

Common Cryptographic Failure Vulnerabilities

Weak Cryptography

Data Exposure

Key Management

Weak Cryptography

Using outdated or cryptographically weak algorithms can compromise the security of encrypted data, making it vulnerable to various attacks.

Example Vulnerability

A web application using MD5 or SHA-1 for password hashing. These algorithms are considered cryptographically broken and should not be used for secure applications.

                                    // Vulnerable code - using weak MD5 hashing

                                    function hashPassword(password) {

                                      const crypto = require('crypto');

                                      return crypto.createHash('md5').update(password).digest('hex');

                                    }

                                    // Secure code - using proper password hashing with bcrypt

                                    async function hashPassword(password) {

                                      const bcrypt = require('bcrypt');

                                      const saltRounds = 10;

                                      return await bcrypt.hash(password, saltRounds);

                                    }

Knowledge Check: Cryptographic Failures Question 1 of 3

Which of the following is considered a secure approach for storing passwords?

Using a simple MD5 hash
Storing them encrypted with AES using a single application key
Using a strong adaptive hashing function like bcrypt with a unique salt per password
Base64 encoding the password before storing

Correct! Strong adaptive hashing functions like bcrypt, Argon2, or PBKDF2 with sufficient work factors and unique salts are the recommended approach for password storage.

A03: Injection

Completed

Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

Injection

High Risk

Injection attacks target applications by inserting malicious code through user inputs that are incorrectly filtered, validated, or sanitized.

Example: An attacker submits SQL code in a web form that changes the intended database query when executed.

Common Prevention Methods:

Use parameterized queries for database operations
Validate and sanitize all user inputs
Apply the principle of least privilege for database accounts
Use ORM frameworks that automatically handle sanitization
Implement context-specific output encoding

Common Injection Vulnerabilities

SQL Injection

NoSQL Injection

Command Injection

SQL Injection

SQL injection is a type of injection attack that targets SQL databases by inserting malicious SQL code into query strings.

                                    // Vulnerable code - direct string concatenation

                                    const query = "SELECT * FROM users WHERE username = '" + username + "' AND password
                                    = '" + password + "'";
                                

                                    // Secure code - parameterized query

                                    const query = "SELECT * FROM users WHERE username = ? AND password = ?";

                                    db.execute(query, [username, password]);

A04: Insecure Design

Completed

Insecure Design refers to flaws that occur when an application is designed without sufficient security measures in mind. This is different from implementation flaws and focuses on design-level failures that cannot be fixed by perfect implementation.

Insecure Design

High Risk

Insecure design encompasses a wide range of issues that occur when security isn't integrated into the system architecture and design process.

Common Prevention Methods:

Establish and use a secure development lifecycle
Employ threat modeling during design phases
Use secure design patterns and reference architectures
Integrate security requirements into user stories
Perform security reviews of system designs before implementation

A05: Security Misconfiguration

Completed

Security misconfiguration is the most commonly seen issue and refers to missing appropriate security hardening across the application stack, improper configurations, or open cloud storage.

Security Misconfiguration

Medium Risk

Security misconfiguration can happen at any level of the application stack, including network services, platform, web server, application server, database, frameworks, custom code, and more.

Common Prevention Methods:

Implement a repeatable hardening process
Remove unused features, components, and frameworks
Review cloud storage permissions
Disable default accounts and passwords
Implement proper error handling

A06: Vulnerable and Outdated Components

Completed

Components such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover.

Vulnerable Components

Medium Risk

Applications using components with known vulnerabilities can undermine application defenses and enable various attacks.

Common Prevention Methods:

Remove unused dependencies
Continuously inventory versions of both client-side and server-side components
Only obtain components from official sources
Monitor for libraries and components that are unmaintained
Establish a patch management process

A07: Identification and Authentication Failures

Completed

Authentication failures occur when functions related to user identity, authentication, or session management are implemented incorrectly, allowing attackers to compromise passwords, keys, session tokens, or exploit implementation flaws to assume other users' identities.

Authentication Failures

High Risk

Authentication weaknesses can allow attackers to access systems as another user or even an administrator.

Common Prevention Methods:

Implement multi-factor authentication
Do not deploy with default credentials
Implement weak-password checks
Limit or increasingly delay failed login attempts
Use a server-side, secure, built-in session manager

A08: Software and Data Integrity Failures

Completed

Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. This occurs when an application relies on plugins, libraries, or modules from untrusted sources, repositories, or content delivery networks (CDNs).

Software and Data Integrity

Medium Risk

An application that does not verify the integrity of critical data, software updates, or CI/CD pipelines is vulnerable to unauthorized changes that can lead to serious security issues.

Common Prevention Methods:

Use digital signatures to verify software or data authenticity
Ensure dependencies are from trusted repositories
Ensure CI/CD pipeline has proper segregation and configuration
Review code and configuration changes
Use only vetted libraries and frameworks from trusted sources

A09: Security Logging and Monitoring Failures

Completed

This category is to help detect, escalate, and respond to active breaches. Without logging and monitoring, breaches cannot be detected. Insufficient logging, detection, monitoring, and active response occurs any time:

Auditable events are not logged
Logs are not monitored for suspicious activity
Alerts are missing or ineffective

Logging and Monitoring

Medium Risk

Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, and tamper with or extract data without being detected.

Common Prevention Methods:

Implement logging for all login, access control, and server-side input validation failures
Ensure logs are in a format that can be easily consumed by log management solutions
Establish effective monitoring and alerting
Create or adopt an incident response and recovery plan
Use centralized log management and analysis tools

A10: Server-Side Request Forgery (SSRF)

Completed

SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).

Server-Side Request Forgery

Medium Risk

SSRF enables attackers to force the server to connect to internal services within the organization or to external systems, potentially leading to data disclosure or remote code execution.

Common Prevention Methods:

Implement a positive allow list of allowed domains, ports, protocols, and URLs
Disable HTTP redirections
Do not send raw responses to clients
Use network segmentation for sensitive services
Sanitize and validate all client-supplied input data

                            // Vulnerable code - direct use of user input

                            app.get('/fetch', (req, res) => {

                              const url = req.query.url;

                              fetch(url).then(response => response.json())

                                .then(data => res.json(data));

                            });

                            // Secure code - URL validation and allow list

                            app.get('/fetch', (req, res) => {

                              const url = req.query.url;

                              const allowedDomains = ['api.example.com', 'api.trusted-source.org'];

                              try {

                                const parsedUrl = new URL(url);

                                if (!allowedDomains.includes(parsedUrl.hostname)) {

                                  return res.status(403).send('Domain not allowed');

                                }

                                fetch(url).then(response => response.json())

                                  .then(data => res.json(data));

                              } catch (e) {

                                res.status(400).send('Invalid URL');

                              }

                            });

Secure Coding Practices

Completed

Secure coding practices are a set of guidelines and principles that developers should follow to create more secure applications. These practices help prevent vulnerabilities and reduce the attack surface of your applications.

Key Secure Coding Principles

Defense in Depth - Implement multiple layers of security controls
Least Privilege - Grant only the permissions needed to perform a task
Secure by Default - Default configurations should be secure
Fail Securely - When something fails, it should fail in a secure state
Input Validation - Validate all input against a whitelist of allowed values
Output Encoding - Encode output to prevent injection attacks

Best Practices

Following secure coding practices should be integrated into your entire development lifecycle, from design to implementation and maintenance. Regular security training for development teams is essential to keep skills up to date with evolving threats.

Security Testing Tools

Completed

Security testing tools help identify vulnerabilities in your applications before attackers can exploit them. These tools should be integrated into your development and deployment pipelines for continuous security assurance.

Categories of Security Testing Tools

Static Application Security Testing (SAST) - Analyzes source code for security vulnerabilities
Dynamic Application Security Testing (DAST) - Tests running applications for vulnerabilities
Software Composition Analysis (SCA) - Identifies vulnerabilities in third-party components
Interactive Application Security Testing (IAST) - Combines SAST and DAST approaches
Penetration Testing Tools - Used for simulating attacks on systems

Popular Security Testing Tools

OWASP ZAP - Open-source web application security scanner
Burp Suite - Integrated platform for web application security testing
SonarQube - Static code analysis platform
Dependency-Check - Identifies project dependencies and known vulnerabilities
Metasploit - Penetration testing framework

Tool Integration

For maximum effectiveness, security testing tools should be integrated into your CI/CD pipeline to catch vulnerabilities early in the development process. However, tools alone are not sufficient - they should be combined with manual code reviews and security expertise.

Workshop Modules

Introduction to Web Application Security

Why Web Security Matters

About the OWASP Top 10

Workshop Structure

A01: Broken Access Control

Common Prevention Methods:

Common Broken Access Control Vulnerabilities

Vertical Privilege Escalation

Horizontal Privilege Escalation

Insecure Direct Object References (IDOR)

Practical Exercise

A02: Cryptographic Failures

Common Prevention Methods:

Common Cryptographic Failure Vulnerabilities

Weak Cryptography

Sensitive Data Exposure

Poor Key Management

A03: Injection

Common Prevention Methods:

Common Injection Vulnerabilities

SQL Injection

NoSQL Injection

Command Injection

A04: Insecure Design

Common Prevention Methods:

A05: Security Misconfiguration

Common Prevention Methods:

A06: Vulnerable and Outdated Components

Common Prevention Methods:

A07: Identification and Authentication Failures

Common Prevention Methods:

A08: Software and Data Integrity Failures

Common Prevention Methods:

A09: Security Logging and Monitoring Failures

Common Prevention Methods:

A10: Server-Side Request Forgery (SSRF)

Common Prevention Methods:

Secure Coding Practices

Key Secure Coding Principles

Security Testing Tools

Categories of Security Testing Tools

Popular Security Testing Tools