What is

OWASP?
The Open Web Application Security Project
(OWASP) is a non-profit organization
founded in 2001, with the goal of helping
website owners and security experts protect
web applications from cyber attacks. OWASP
has 32,000 volunteers around the world who
perform security assessments and research.
Why is the OWASP Top 10
Important?
OWASP Top 10 is a research project that
offers rankings of and remediation advice
for the top 10 most serious web
application security dangers. The report is
founded on an agreement between
security experts from around the globe.
The risks are graded according to the
severity of the vulnerabilities, the
frequency of isolated security defects, and
the degree of their possible impacts.
Why is the OWASP Top 10
Important?
The aim of the report is to provide web application security
experts and developers with an understanding into the most
common security risks so that they can use the findings of
the report as part of their security practices. This can help
limit the presence of such known risks within their web
applications.
OWASP manages the Top 10 list and has been doing so
since 2003. They update the list every 2-3 years, in keeping
with changes and developments in the AppSec market.
OWASP provides actionable information and acts as an
important checklist and internal Web application
development standard for a lot of the largest organizations
in the world.
Broken Access Control
Access Controls

 A system enabling an authority to control

access to areas and resources in a physical
facility or computer-based system. They are
crucial for determining whether a request
should be permitted.
Vertical vs Horizontal
Access Controls
 Vertical Access Controls:
Division between ordinary
users and administrators.
 Horizontal Access Controls: Restrict
users to their own resources, e.g.,
emails.
Access Control
Vulnerabilities
 1. Vertical privilege escalation:
Performing unauthorized
functions.
 2. Horizontal privilege
escalation: Accessing
unauthorized resources.
Access Control Security
and Weaknesses
 1. Completely Unprotected Functionality
 2. Identifier-Based Functions
 3. Multistage Functions
 4. Static Files
Effective Access Controls
(Part 1)
 1. Explicitly evaluate access
control requirements.
 2. Drive access control
decisions from user sessions.
 3. Use a central
application component for
checks.
Effective Access Controls
(Part 2)
 4. Process every client request
via a validation component.
 5. Use programmatic techniques
to enforce rules.
 6. Restrict sensitive functionality
by IP when needed.
Effective Access Controls
(Part 3)
 7. Protect static content with
server- side logic.
 8. Revalidate client-
transmitted identifiers.
 9. Implement per-
transaction reauthentication
and logging.
A Multi-Layered Privilege
Model
 1. Programmatic Control
 2. Discretionary Access
Control (DAC)
 3. Role-Based Access Control (RBAC)
 4. Declarative Control
Attacking Access Controls

1. Test administrative URLs

for direct access.
2. Probe application logic
for subtle defects.
3. Be patient and thorough;
test every function.
 Best Practices to Prevent
Broken Access Control
•Use Role-Based Access Control (RBAC) – Assign
the minimum required permissions per role.
•Enforce Principle of Least Privilege (PoLP) – Users
should only access what they absolutely need.
•Implement Strong Authentication – Require MFA
for admin and critical actions.
•Secure API Endpoints – Use OAuth 2.0, JWTs, and
proper authorization checks for APIs.
•Perform Regular Security Audits – Continuously
test for misconfigurations and unauthorized access.
 2.
Cryptographi
c Failures
- covers the protection of data
in transit and at rest. This
includes passwords, credit card
numbers, health records,
personal information and other
sensitive information.
Mitigating Cryptographic
Failures
 Identify sensitive data and apply appropriate
security controls.
 Don’t store sensitive data unless absolutely needed
━ discard sensitive data, use tokenization or
truncation.
 Encrypt all sensitive data at rest using strong
encryption algorithms, protocols and keys.
 Encrypt data in transit using secure protocols like
TLS and HTTP HSTS.
 Disable caching for sensitive data.
 Store passwords using strong, salted hashing functions like Argon2,
scrypt and bcrypt.
Sensitive Data
Sensitive data includes a broad spectrum of
information, including:
 Transactional data: Credit card, bank account,
and social security numbers
 Personal data: Phone numbers, physical and
virtual addresses, and medical history
 Business-related data: Trade secrets;
planning, financial, and accounting
information
 Governmental data: Restricted, confidential,
secret, or top-secret information
Sensitive Data
The exponential growth of a global
information economy, driven by new
technologies and disruptive business
models, means that an ever-increasing
amount of sensitive data is collected, used,
exchanged, analyzed, and retained. In all
cases, this data requires protection from
unauthorized access to ensure the privacy
and security of both individuals and
organizations
Protecting Sensitive Data

Data has varying degrees of sensitivity, based

on risk potential. Companies must prioritize
data risks by creating a classification policy
based on data sensitivity. At a minimum, three
levels of data classification are needed.
Protecting Sensitive Data
 Restricted: This is the most sensitive data that, if compromised,
could cause great risk to individuals and/or organizations.
Access is be on a need-to-know basis only.
 Confidential or Private: This is moderately sensitive data that, if
compromised, would cause a moderate risk to individuals
and/or the company. Access is internal to the company or
department that owns the data.
 Public: This is non-sensitive data that would cause little or no
risk to the data if accessed. Access is loosely, or not, controlled.
Policies must be developed and implemented that determine what
types of information are sensitive and what methods, such as
encryption, should be used to protect that information. In addition,
companies must monitor the transmission of information to ensure
that the policies are adhered to and are effective.
 Companies must also implement a continuous auditing of the overall IT
environment. Auditing solutions that provide real-time information
about unauthorized or malicious changes help ensure visibility across
the IT infrastructure. In addition, auditing solutions validate the
effectiveness of security policies, and the security of sensitive
information. Continuous auditing will help detect a breach in its early
stages, assist during in-depth analysis, and ultimately expose
weaknesses that can be remediated to strengthen the security of a
company’s IT infrastructure.
 Finally, and most importantly, companies must add security layers to
data shared in the cloud. The acceptance and adoption of cloud-based
application services make it easy for businesses to collaborate and
share content with multiple users. But this convenience has its
downside, as data leaks become an increasing concern. Typically, these
services lack the visibility necessary to mandate and track how, when,
and with whom files and content are shared.
Causes of Sensitive Data
Exposure
• Unsecured Data Storage:
Lack of encryption
• Weak Authentication: Poor
password policies
• Misconfigured Cloud Services:
Open access to critical files
• Software Vulnerabilities:
Unpatched systems
Real-World Examples
• Facebook (2019): 540 million
records exposed due to
misconfigured databases
• Equifax (2017): 147 million
individuals’ personal data leaked
due to an unpatched system
• Marriott (2018): 500 million guest
records compromised due to
unauthorized access
What is Injection
Vulnerability? (OWASP Top 3)
 Injection vulnerability is a security flaw that
occurs when an attacker is able to insert (or
"inject") malicious data into an application.
 This causes unintended behavior, often due
to improper input validation or sanitization.
 Common targets: backend systems like
databases, interpreters, and APIs.
Types of Injection
Vulnerabilities

o SQL Injection (SQLi)

o Cross-Site Scripting (XSS)
o Command Injection
o LDAP Injection
SQL Injection (SQLi)
o Occurs when user input is directly
inserted into SQL queries without
proper sanitization.
o Example Vulnerable Code (PHP):
$username = $_GET['username'];
$query = "SELECT * FROM users WHERE username
= '$username'";
o Potential Attack:
 If an attacker enters admin' --, the query
becomes:
SELECT * FROM users WHERE username = 'admin' -- ‘

 The -- comment bypasses authentication.

Cross-Site Scripting (XSS)

Content:
oOccurs when malicious JavaScript is injected into a
web page, executing scripts in a victim’s browser.
oExample:
 html
 Copy
 <input type="text" name="comment" value="<?php echo
$_GET['comment']; ?>">
o Potential Attack:
If an attacker enters
<script>alert('Hacked!');</script>, the browser
executes it.
Command Injection
Content:
oOccurs when an attacker injects malicious
system commands into an application that
executes shell commands.
oExample (PHP):
$file = $_GET['file'];
system("cat " . $file);
o Potential Attack:
An attacker could enter file.txt; rm -rf /
to delete system files.
LDAP Injection (Lightweight
directory access protocol )
Content:
oOccurs when unvalidated input is injected into
LDAP queries, allowing unauthorized access.
oExample (PHP):
$ldap_query = "(&(user=" . $_GET['user'] . "))";
o Potential Attack:
An attacker could enter *)(objectClass=*)
to retrieve all LDAP entries.
 Prevention Techniques
Use Prepared Statements (SQL Injection Prevention)
Example in PHP (PDO):
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ?");
$stmt->execute([$username]);
Escape User Input (XSS Prevention)
Example:
echo htmlspecialchars($_GET['comment'], ENT_QUOTES, 'UTF-8');
Validate and Sanitize Inputs
Use functions like filter_var() to filter user input.
Avoid Directly Executing User Input
Never pass user input directly into system commands.
Conclusion:
Injection vulnerabilities are a critical security risk in
web applications.
Proper input validation, sanitization, and the use of
prepared statements can significantly reduce the
risk of these attacks.
Stay proactive in securing your applications to
prevent injection vulnerabilities.