Web Security: OWASP Top 10

A Simple Analogy

OWASP Top 10 is like a building inspector's checklist. Instead of fixing every possible flaw, focus on the 10 most dangerous issues that could collapse the building. Most vulnerabilities fall into these categories.

What Is OWASP Top 10?

OWASP Top 10 is a list of the 10 most critical security risks in web applications, updated every few years. Developers should know and prevent these vulnerabilities.

Why Study OWASP Top 10?

Priorities: Focus on highest-risk vulnerabilities
Awareness: Understand common attack patterns
Prevention: Know standard mitigations
Compliance: Many standards reference OWASP
Interviews: Common security topic

The 10 Vulnerabilities

1. Broken Access Control

// Bad: No authorization check
[HttpGet("{id}")]
public IActionResult GetUser(int id)
{
    return Ok(_repository.GetUser(id));  // Exposes any user's data
}

// Good: Verify authorization
[Authorize]
[HttpGet("{id}")]
public IActionResult GetUser(int id)
{
    var currentUserId = int.Parse(User.FindFirst("sub").Value);
    if (currentUserId != id)
        return Forbid();
    
    return Ok(_repository.GetUser(id));
}

2. Cryptographic Failures (Sensitive Data Exposure)

// Bad: Store passwords in plain text
var user = new User { Name = "Bob", Password = "secret123" };
_db.Users.Add(user);

// Good: Hash passwords
var hashedPassword = BCrypt.Net.BCrypt.HashPassword("secret123");
var user = new User { Name = "Bob", PasswordHash = hashedPassword };

3. Injection (SQL Injection)

// Bad: String concatenation (SQL injection)
var query = $"SELECT * FROM Users WHERE Email = '{email}'";

// Good: Parameterized queries
var user = await _context.Users
    .FromSqlInterpolated($"SELECT * FROM Users WHERE Email = {email}")
    .FirstOrDefaultAsync();

4. Insecure Design (Missing Security Controls)

Threat modeling during design
Security requirements definition
Secure architecture patterns

5. Security Misconfiguration

// Bad: Debug mode in production
if (app.Environment.IsDevelopment())
{
    app.UseDeveloperExceptionPage();
}

// Bad: Default credentials
var defaultPassword = "admin123";  // Change in production

6. Vulnerable and Outdated Components

Keep dependencies updated
Monitor security advisories
Use dotnet list package --outdated

7. Authentication & Session Management Failures

// Bad: No session timeout
// Good: JWT with expiration
var token = GenerateJWT();  // Expires in 15 minutes

// Bad: Weak password policy
// Good: Enforce strong passwords
if (!IsStrongPassword(password))
    throw new InvalidOperationException("Password too weak");

8. Software & Data Integrity Failures

Verify package authenticity
Use HTTPS for all communications
Implement code signing

9. Logging & Monitoring Failures

// Bad: No logging of security events
// Good: Log security-relevant events
_logger.LogWarning("Failed login attempt for user {Email} from IP {IpAddress}",
    email, ipAddress);

_logger.LogError("Authorization check failed for user {UserId} accessing resource {ResourceId}",
    userId, resourceId);

10. Server-Side Request Forgery (SSRF)

// Bad: Fetch any URL without validation
var response = await _httpClient.GetAsync(userProvidedUrl);

// Good: Validate URL before fetching
var uri = new Uri(userProvidedUrl);
if (uri.Host == "localhost" || uri.Host == "127.0.0.1")
    throw new InvalidOperationException("Cannot access local resources");

Security Checklist

✓ Use HTTPS everywhere
✓ Validate all inputs
✓ Hash passwords with bcrypt/scrypt
✓ Implement proper authorization
✓ Use parameterized queries
✓ Keep dependencies updated
✓ Log security events
✓ Implement rate limiting
✓ Use secure headers (CSP, X-Frame-Options)
✓ Regular security testing

Related Concepts to Explore

OWASP Cheat Sheets
Security testing tools (OWASP ZAP, Burp Suite)
Penetration testing
Secure coding practices
Incident response planning

Summary

OWASP Top 10 highlights the most critical web security risks. Understanding and preventing these 10 vulnerabilities dramatically improves application security.