principleCriticalpending
OWASP Top 10 Quick Reference for Developers
Viewed 0 times
OWASPsecurityinjectionXSSCSRFauthenticationauthorizationtop 10
Problem
Developers unknowingly introduce common security vulnerabilities. The OWASP Top 10 list is comprehensive but hard to remember during coding.
Solution
Quick-reference checklist for the most critical vulnerabilities:
1. Broken Access Control
2. Cryptographic Failures
3. Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable Components
7. Auth Failures
8. Data Integrity Failures
9. Logging & Monitoring Gaps
10. SSRF (Server-Side Request Forgery)
1. Broken Access Control
- Check authorization on EVERY endpoint (not just the UI)
- Deny by default, explicitly grant access
- Don't expose internal IDs in URLs without auth checks
2. Cryptographic Failures
- Use TLS everywhere (no HTTP)
- Hash passwords with bcrypt/argon2 (never MD5/SHA1)
- Don't store sensitive data you don't need
3. Injection
- Use parameterized queries (NEVER string concatenation for SQL)
- Validate and sanitize all input
- Use ORM query builders instead of raw queries
4. Insecure Design
- Rate limit authentication endpoints
- Implement proper session management
- Don't trust client-side validation alone
5. Security Misconfiguration
- Remove default credentials
- Disable directory listing
- Keep dependencies updated (npm audit, pip-audit)
- Don't expose stack traces in production
6. Vulnerable Components
- Regular dependency audits
- Pin dependency versions
- Monitor CVE databases
7. Auth Failures
- Use MFA where possible
- Implement account lockout after failed attempts
- Use secure session tokens (not predictable)
8. Data Integrity Failures
- Verify software updates and dependencies
- Use SRI (Subresource Integrity) for CDN scripts
- Sign and verify data in transit
9. Logging & Monitoring Gaps
- Log auth failures, access control failures, input validation failures
- Don't log sensitive data (passwords, tokens, PII)
- Set up alerts for suspicious patterns
10. SSRF (Server-Side Request Forgery)
- Validate and allowlist URLs for server-side requests
- Block requests to internal networks (169.254.x.x, 10.x.x.x)
- Don't pass user input directly to HTTP clients
Why
These 10 categories account for the vast majority of web application breaches. Knowing them by heart prevents the most common security mistakes.
Gotchas
- Security is not a feature you add later - it must be considered from the start
- Client-side validation is UX, not security - always validate server-side
Context
Building secure web applications
Revisions (0)
No revisions yet.