OWASP Top 10

OWASP Top 10 2021 - Complete Penetration Testing Summary

A comprehensive reference guide for web application security testing

---

A01: Broken Access Control

Risk Level: Critical | Prevalence: Very High

What It Is

Applications fail to properly enforce restrictions on what authenticated users are allowed to do, leading to unauthorized access to data or functionality.

Key Attack Vectors

• Vertical Privilege Escalation: Regular user accessing admin functions

• Horizontal Privilege Escalation: User A accessing User B's data

• IDOR (Insecure Direct Object References): Manipulating object IDs in URLs

• Missing Function Level Access Control: Accessing restricted API endpoints

Quick Test Methods

# Test parameter manipulation
/user/profile?id=123 → /user/profile?id=456
/admin/dashboard (as regular user)
POST /api/admin/users (check if accessible)

# JWT manipulation
# Decode JWT, change role/user_id, re-encode

Common Bypass Techniques

• HTTP method manipulation (GET → POST)

• Parameter pollution

• Path traversal in URLs

• Referer header manipulation

---

A02: Cryptographic Failures

Risk Level: High | Prevalence: High

What It Is

Failures related to cryptography (or lack thereof) which lead to exposure of sensitive data through weak encryption, poor key management, or missing encryption.

Key Areas to Test

• Weak Encryption Algorithms: MD5, SHA1, DES, RC4

• Hardcoded Keys: Secrets in source code or configuration

• Missing Encryption: Sensitive data in plaintext

• Poor Implementation: Custom crypto, predictable keys

Quick Test Methods

# Check SSL/TLS configuration
nmap --script ssl-enum-ciphers -p 443 target.com
sslscan target.com

# Look for hardcoded secrets
grep -r "password\|secret\|key" /source/code/
strings binary | grep -E "(password|key|secret)"

# Test password storage
# Register user, check database/responses for plaintext passwords

Red Flags

• Predictable session tokens

• Passwords stored in plaintext/MD5

• Missing HTTPS on sensitive pages

• Weak random number generation

---

A03: Injection

Risk Level: Critical | Prevalence: High

What It Is

Untrusted data is sent to an interpreter as part of a command or query, allowing attackers to execute unintended commands or access data.

Major Injection Types

• SQL Injection: Database command injection

• NoSQL Injection: Document database injection

• Command Injection: OS command execution

• LDAP/XPath Injection: Directory service manipulation

Quick Test Payloads

-- SQL Injection
' OR '1'='1
'; DROP TABLE users; --
' UNION SELECT 1,2,3 --

-- Command Injection  
; whoami
| ls -la
`id`

-- NoSQL Injection
{"$ne": null}
{"$regex": ".*"}

Testing Methodology

1. Identify injection points: All user inputs

2. Test with special characters: ', ", ;, |, &

3. Escalate systematically: Error-based → Blind → Time-based

4. Use automated tools: SQLMap, NoSQLMap, Commix

---

A04: Insecure Design

Risk Level: High | Prevalence: Medium

What It Is

Fundamental flaws in application architecture and design that cannot be fixed with implementation changes alone.

Design Flaw Categories

• Missing Security Controls: No rate limiting, weak authentication

• Business Logic Flaws: Race conditions, workflow bypasses

• Architecture Issues: Overprivileged components, insecure communication

Testing Approach

# Business logic testing
# 1. Map application workflow
# 2. Test edge cases and race conditions
# 3. Bypass workflow steps
# 4. Test negative values/scenarios

# Example: E-commerce testing
# - Negative quantities in cart
# - Skip payment steps  
# - Concurrent transactions
# - Price manipulation

Key Focus Areas

• Authentication mechanisms design

• Session management architecture

• Data flow and trust boundaries

• Failure handling and error states

---

A05: Security Misconfiguration

Risk Level: High | Prevalence: Very High

What It Is

Applications, frameworks, servers, or platforms are insecurely configured, including default configurations, incomplete setups, and overly verbose error handling.

Common Misconfigurations

• Default Credentials: admin/admin, root/root

• Unnecessary Features: Debug modes, sample applications

• Verbose Error Messages: Stack traces, database errors

• Missing Security Headers: HSTS, CSP, X-Frame-Options

Quick Security Scan

# Check for common misconfigurations
nikto -h target.com
dirb http://target.com /usr/share/wordlists/dirb/common.txt

# Test common admin interfaces
/admin, /administrator, /wp-admin, /phpmyadmin
/manager/html, /console, /dashboard

# Check HTTP headers
curl -I https://target.com
# Look for missing: HSTS, CSP, X-Frame-Options, etc.

Automated Detection

• Nessus, OpenVAS for infrastructure

• Nuclei templates for web applications

• Custom Burp extensions

• Cloud security scanners (AWS Inspector, etc.)

---

A06: Vulnerable and Outdated Components

Risk Level: High | Prevalence: Very High

What It Is

Applications using components (libraries, frameworks, modules) with known vulnerabilities or that are unsupported/outdated.

Detection Methods

# Identify technologies
whatweb target.com
wappalyzer (browser extension)
builtwith.com

# Check for known vulnerabilities
# Frontend libraries
retire.js --outputformat json

# Server-side components  
nmap --script vuln target.com
searchsploit "apache 2.4.29"

Common Vulnerable Components

• Web Servers: Apache, Nginx, IIS

• Application Servers: Tomcat, JBoss

• Frameworks: Spring, Django, Rails

• Libraries: jQuery, Bootstrap, third-party packages

• CMS: WordPress, Drupal, Joomla plugins

Systematic Approach

1. Fingerprint all components

2. Check CVE databases

3. Test for known exploits

4. Verify patch levels

5. Check end-of-life status

---

A07: Identification and Authentication Failures

Risk Level: High | Prevalence: High

What It Is

Functions related to user identity, authentication, and session management are implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens.

Key Vulnerability Areas

• Weak Passwords: No complexity requirements, common passwords

• Credential Stuffing: Reused passwords from breaches

• Session Management: Weak session IDs, session fixation

• Multi-factor Authentication: Bypassable or missing MFA

Testing Checklist

# Password policy testing
# - Try common passwords: admin, password123
# - Test password complexity requirements
# - Check for account lockout policies

# Session management
# - Session ID entropy analysis
# - Session fixation testing  
# - Concurrent session handling
# - Session timeout verification

# Authentication bypass
# - SQL injection in login forms
# - Authentication logic flaws
# - Remember me functionality
# - Password reset mechanisms

Common Attack Patterns

• Brute force attacks on login forms

• Session hijacking and fixation

• JWT manipulation and attacks

• OAuth implementation flaws

---

A08: Software and Data Integrity Failures

Risk Level: High | Prevalence: Medium

What It Is

Applications rely on plugins, libraries, or modules from untrusted sources without verifying integrity, or use insecure CI/CD pipelines.

Key Attack Scenarios

• Supply Chain Attacks: Malicious packages in repositories

• Insecure Deserialization: PHP object injection, Java deserialization

• CI/CD Compromise: Unauthorized code modifications

• Auto-update Attacks: MITM attacks on update mechanisms

Testing Techniques

# Deserialization testing
# Look for serialized data patterns:
# Java: rO0AB (base64)
# PHP: YTo (base64)  
# Python: gASV (pickle)

# Dependency analysis
npm audit
pip-audit
OWASP Dependency-Check

# Test deserialization endpoints
# Use ysoserial for Java
# Use phpggc for PHP
# Custom pickle payloads for Python

Detection Focus

• Identify serialization formats in requests

• Check for integrity verification mechanisms

• Test auto-update functionality

• Review CI/CD pipeline security

---

A09: Security Logging and Monitoring Failures

Risk Level: Medium | Prevalence: High

What It Is

Applications fail to detect, escalate, and respond to active breaches due to insufficient logging, monitoring, and incident response.

What This Means for Pentesters

• Successful attacks may go undetected

• Extended dwell time possible

• Lateral movement less likely to be detected

• Evidence of compromise may be minimal

Testing Approach

# Test logging coverage
# 1. Generate various attack attempts
# 2. Check if events are logged
# 3. Verify log content quality
# 4. Test log injection attacks

# Common log locations
/var/log/apache2/access.log
/var/log/nginx/access.log  
/var/log/auth.log
/var/log/syslog

# Log injection testing
# Inject CRLF characters in user inputs
# Test for log poisoning vulnerabilities

Red Flags During Assessment

• No logging of authentication events

• Generic error messages

• Logs accessible to unauthorized users

• No real-time alerting

• Missing audit trails for high-value transactions

---

A10: Server-Side Request Forgery (SSRF)

Risk Level: High | Prevalence: Medium

What It Is

Applications fetch remote resources without validating user-supplied URLs, allowing attackers to coerce the application to send requests to unintended destinations.

Major Attack Scenarios

• Cloud Metadata Access: AWS/GCP/Azure credential theft

• Internal Network Scanning: Port scanning via SSRF

• Internal Service Access: Bypass network controls

• File Disclosure: Local file access via file:// protocol

Quick Testing Methods

# Basic SSRF detection
curl "https://target.com/fetch?url=http://collaborator.net"

# Cloud metadata exploitation
http://169.254.169.254/latest/meta-data/iam/security-credentials/

# Internal network access
http://127.0.0.1:8080/admin/
http://localhost:6379/ (Redis)
http://127.0.0.1:9200/ (Elasticsearch)

# File disclosure
file:///etc/passwd
file:///proc/self/environ

Advanced Bypass Techniques

• IP encoding (decimal, hex, octal)

• DNS rebinding attacks

• HTTP redirects

• Protocol smuggling (gopher://, dict://)

• Unicode normalization

---

Testing Methodology Summary

1. Reconnaissance Phase

• Technology fingerprinting

• Directory/file enumeration

• Parameter discovery

• Architecture mapping

2. Vulnerability Assessment

• Automated scanning (Burp, OWASP ZAP, Nuclei)

• Manual testing per OWASP category

• Business logic testing

• Configuration review

3. Exploitation Phase

• Proof of concept development

• Impact demonstration

• Chain vulnerabilities for maximum impact

• Document evidence

4. Reporting Phase

• Risk-based prioritization

• Clear remediation guidance

• Business impact analysis

• Retest verification

Essential Testing Tools

Automated Scanners

• Burp Suite Professional: Comprehensive web app testing

• OWASP ZAP: Free alternative to Burp

• Nuclei: Fast template-based scanner

• Nikto: Web server scanner

Specialized Tools

• SQLMap: SQL injection testing

• XSSer: Cross-site scripting detection

• Dirb/Gobuster: Directory enumeration

• Nmap: Network and service discovery

Manual Testing Extensions

• Burp Extensions: Logger++, Autorize, Backslash Powered Scanner

• Browser Extensions: Wappalyzer, FoxyProxy

• Collaborator Services: Burp Collaborator, interactsh

---

Risk Assessment Matrix

Vulnerability	Exploitability	Prevalence	Impact	Overall Risk
A01: Broken Access Control	High	Very High	High	Critical
A02: Cryptographic Failures	Medium	High	High	High
A03: Injection	High	High	High	Critical
A04: Insecure Design	Medium	Medium	High	High
A05: Security Misconfiguration	High	Very High	Medium	High
A06: Vulnerable Components	High	Very High	Medium	High
A07: Auth Failures	High	High	High	High
A08: Integrity Failures	Medium	Medium	High	High
A09: Logging Failures	Low	High	Medium	Medium
A10: SSRF	High	Medium	High	High

---

This summary serves as a quick reference for penetration testers conducting web application security assessments. For detailed exploitation techniques and comprehensive testing methodologies, refer to the individual vulnerability guides.

Created for penetration testers, by penetration testers.