Dev Training: Top 10 Web Security Vulnerabilities

So the site’s live, but is it safe? Here’s OWASP’s guidelines for web security to avoid wrecking your day, and your users’ trust.

Web security is crucial for protecting user data and preventing breaches. The OWASP Top 10 is a list of the most critical security risks facing web applications. The latest edition (2021) reorganizes the most pressing vulnerabilities based on community input and real-world threat analysis. OWASP is currently working on the next update, expected to be released mid-2025. For more details, visit OWASP's official site.

1. Broken Access Control

Risk: Broken access control vulnerabilities occur when users can access resources or perform actions beyond their intended permissions. This can lead to unauthorized data exposure, account takeovers, or privilege escalation.

Why it matters: If malicious individuals can escalate privileges or browse to sensitive data they shouldn’t see, the consequences can be catastrophic, from personal data leaks and loss of customer trust to hefty regulatory fines and reputational damage.

Solution:

  • Implement role-based access control (RBAC) and enforce permissions server-side.
  • Use least privilege principles to restrict actions to necessary operations.
  • Log access control failures and review regularly.

2. Cryptographic Failures

Risk: Cryptographic failures result in weak protection of sensitive data, making it vulnerable to theft and exposure. This includes improper encryption, weak algorithms, and improper storage of secrets.

Why it matters: A poorly secured cryptographic scheme can leave sensitive information like personal details or payment data exposed to attackers, causing financial and legal repercussions, and eroding user confidence in your service.

Solution:

  • Use modern encryption standards like AES-256 and TLS 1.3.
  • Never store sensitive data in plaintext.
  • Implement secure key management practices.

3. Injection

Risk: Injection attacks occur when untrusted data is sent to an interpreter as part of a command or query, leading to data leaks or remote code execution.

Why it matters: It’s not just about database compromises (like SQL injection), injection flaws can allow hackers to run arbitrary code, read or modify sensitive data, and disrupt services.

Solution:

  • Use prepared statements and parameterized queries.
  • Sanitize and validate all user input.

Example: Preventing SQL Injection in Python (Flask & SQLite)

In this example, the python parameterised query prevents SQL injection by treating the input as data, not code and it avoids direct string concatenation.

import sqlite3
from flask import request

def get_user(username):
    conn = sqlite3.connect("database.db")
    cursor = conn.cursor()
    cursor.execute("SELECT * FROM users WHERE username = ?", (username,))
    return cursor.fetchone()

4. Insecure Design

Risk: This category highlights weaknesses in system design, rather than implementation flaws. Poorly designed authentication mechanisms, improper session handling, and lack of threat modeling fall under this category.

Why it matters: A fundamentally weak design can undermine all subsequent security layers. If the blueprint is flawed, patching issues after deployment can be highly expensive and sometimes impossible.

Solution:

  • Use secure design principles and patterns.
  • Perform regular threat modeling and security reviews.

5. Security Misconfiguration

Risk: Misconfigurations can expose applications to attack, such as running in debug mode, using default credentials, or leaving unnecessary services enabled.

Why it matters: Simple oversights like leaving default passwords in place can be incredibly easy for an attacker to exploit. A single misconfiguration can open the door to massive data breaches.

Solution:

  • Disable debugging and unnecessary services.
  • Apply security patches and updates promptly.
  • Implement security hardening guidelines.

6. Vulnerable and Outdated Components

Risk: Using outdated libraries and dependencies introduces security flaws that attackers can exploit.

Why it matters: Attackers often scan for known vulnerabilities in widely used components. If your app depends on an old, unpatched version, you become an easy target.

Solution:

  • Regularly update dependencies (pip list --outdated).
  • Use security tools like pip-audit or safety.

Additionally many free and paid tools exist to make this task easier, like the GitHub Dependabot.

7. Identification and Authentication Failures

Risk: Weak authentication mechanisms allow attackers to compromise accounts or bypass authentication entirely.

Why it matters: Imagine someone with stolen credentials or a brute-forced password waltzing into your system. Failing to secure user identities can unravel your entire security setup.

Solution:

  • Implement multi-factor authentication (MFA).
  • Use secure password hashing (e.g., bcrypt, Argon2).

Example: Hashing passwords securely in Python

from bcrypt import hashpw, gensalt

def hash_password(password):
    return hashpw(password.encode(), gensalt())

8. Software and Data Integrity Failures

Risk: This category includes issues like insecure CI/CD pipelines, unsigned software updates, and unverified data integrity, leading to unauthorized code execution.

Why it matters: If an attacker injects malicious code in your pipeline or modifies software updates, they can compromise not only your application but potentially the systems and data of every user who relies on your service.

Solution:

  • Use code-signing and verification mechanisms.
  • Secure CI/CD pipelines with integrity checks.

9. Security Logging and Monitoring Failures

Risk: Insufficient logging and monitoring can allow attackers to exploit vulnerabilities without detection, making incident response difficult.

Why it matters: Without proper logs and alerts, you’re essentially blind to malicious activities. Threat actors can roam freely, exfiltrating data and causing havoc.

Solution:

  • Implement structured logging (logging module in Python).
  • Set up alerts for suspicious activities.

Example: Basic Logging in Python

import logging
logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
logging.info("User login attempt")

10. Server-Side Request Forgery (SSRF)

Risk: SSRF vulnerabilities allow attackers to manipulate server-side requests to access internal services or sensitive data. These attacks can exploit misconfigured APIs, cloud metadata services, or open internal endpoints, potentially leading to unauthorized data access, internal network scanning, and even remote code execution. In cloud environments, SSRF can be particularly dangerous, allowing attackers to obtain credentials or perform lateral movement within the infrastructure.

Why it matters: SSRF can turn your own server into a tool for mischief, letting attackers pivot deeper into your network and potentially cause large-scale breaches.

Solution:

  • Validate and sanitize user input for URLs.
  • Restrict outgoing requests from the application.
  • Implement network segmentation to limit exposure.

Understanding and mitigating these security risks is essential for building secure web applications. Regular security audits, keeping dependencies updated, and following best practices can help reduce vulnerabilities and protect your users. Stay up-to-date with OWASP's upcoming 2025 update by visiting OWASP's official site.