Complete Guide to OWASP Top 10 Vulnerabilities 2024

What is Broken Access Control?

Broken access control occurs when users can access resources or perform actions they shouldn't be able to. This vulnerability moved to #1 in the 2021 OWASP Top 10, reflecting its prevalence and impact. Access control enforces policies ensuring users cannot act outside their intended permissions.

Real-World Attack Scenario

Consider an e-commerce application where a user can view their own orders at /api/orders/12345. An attacker discovers they can access other users' orders by simply changing the order ID:

// VULNERABLE CODE - No access control check
app.get('/api/orders/:orderId', (req, res) => {
    const order = db.getOrder(req.params.orderId);
    res.json(order); // Returns ANY user's order!
});

// SECURE CODE - With proper access control
app.get('/api/orders/:orderId', authenticateUser, (req, res) => {
    const order = db.getOrder(req.params.orderId);
    
    // Verify ownership
    if (order.userId !== req.user.id) {
        return res.status(403).json({ error: 'Access denied' });
    }
    
    res.json(order);
});

Common Attack Vectors

• Horizontal Privilege Escalation: Accessing another user's data by modifying IDs (e.g., changing ?userId=123 to ?userId=456)
• Vertical Privilege Escalation: Regular users accessing admin functions by manipulating URLs or API calls
• JWT Token Manipulation: Modifying JWT claims to change user roles or IDs
• Path Traversal: Accessing files outside intended directory (e.g., ../../../etc/passwd)
• IDOR (Insecure Direct Object Reference): Directly accessing objects by manipulating references

Case Study: Capital One Data Breach (2019)

A misconfigured web application firewall allowed an attacker to exploit a Server-Side Request Forgery (SSRF) vulnerability, which was combined with broken access control to access AWS metadata service and ultimately exfiltrate data from over 100 million customers.

Mitigation Strategies

1. Implement Role-Based Access Control (RBAC): Define clear roles and permissions
2. Enforce Access Control on Every Request: Never trust client-side controls
3. Use Access Control Lists (ACLs): Maintain explicit access lists for resources
4. Validate Ownership: Always verify resource ownership before access
5. Implement Principle of Least Privilege: Grant minimum necessary permissions
6. Use Framework Security Features: Leverage built-in authorization mechanisms
7. Log Access Control Failures: Monitor and alert on unauthorized access attempts

Testing for Broken Access Control

• Test with different user roles (regular user, admin, guest)
• Attempt to access resources belonging to other users
• Modify JWT tokens and session cookies
• Test API endpoints without authentication
• Use tools like Burp Suite, OWASP ZAP, or custom scripts

What are Cryptographic Failures?

Previously known as "Sensitive Data Exposure," this category focuses on failures related to cryptography, which often lead to exposure of sensitive data. Cryptographic failures occur when sensitive data is not properly protected through encryption, hashing, or other cryptographic mechanisms.

Real-World Impact

In 2021, a major healthcare provider exposed 3.5 million patient records due to unencrypted database backups stored in cloud storage. The breach resulted in HIPAA violations and millions in fines.

Common Vulnerabilities

• Transmitting Data in Clear Text: Using HTTP instead of HTTPS, unencrypted email (SMTP), or FTP
• Weak Hash Functions: Using MD5, SHA-1, or other deprecated algorithms
• Hardcoded Keys: Embedding encryption keys directly in source code
• Weak Encryption: Using DES, RC4, or weak key sizes
• Improper Key Management: No key rotation, sharing keys, or storing keys insecurely
• Missing Encryption: Storing sensitive data (passwords, PII, credit cards) without encryption

Code Example: Password Storage

// VULNERABLE - Using MD5 (deprecated and insecure)
const hash = require('crypto').createHash('md5');
const passwordHash = hash.update(password).digest('hex');
// MD5 is cryptographically broken and can be easily cracked

// VULNERABLE - Using SHA-1 (deprecated)
const hash = require('crypto').createHash('sha1');
const passwordHash = hash.update(password).digest('hex');

// SECURE - Using bcrypt with salt
const bcrypt = require('bcrypt');
const saltRounds = 12; // Higher = more secure but slower
const passwordHash = await bcrypt.hash(password, saltRounds);

// SECURE - Using Argon2 (recommended for new applications)
const argon2 = require('argon2');
const passwordHash = await argon2.hash(password, {
    type: argon2.argon2id,
    memoryCost: 65536, // 64 MB
    timeCost: 3,
    parallelism: 4
});

Encryption Best Practices

• Data in Transit: Always use TLS 1.2+ (preferably TLS 1.3)
• Data at Rest: Encrypt databases, file systems, and backups
• Key Management: Use HSMs, key management services (AWS KMS, Azure Key Vault)
• Key Rotation: Regularly rotate encryption keys
• Algorithm Selection: Use AES-256 for symmetric, RSA-2048+ or ECC-256+ for asymmetric
• Certificate Validation: Always validate SSL/TLS certificates

Compliance Requirements

• PCI DSS: Requires encryption of cardholder data in transit and at rest
• HIPAA: Mandates encryption of protected health information (PHI)
• GDPR: Requires appropriate technical measures for personal data protection
• SOX: Financial data must be encrypted and protected

What are Injection Attacks?

Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's malicious data can trick the interpreter into executing unintended commands or accessing unauthorized data. Injection attacks remain one of the most dangerous vulnerabilities, with SQL injection being particularly prevalent.

SQL Injection Attack Example

Consider a login form that constructs SQL queries directly from user input:

// VULNERABLE CODE - Direct string concatenation
String query = "SELECT * FROM users WHERE username = '" + 
               username + "' AND password = '" + password + "'";
ResultSet rs = stmt.executeQuery(query);

// Attacker input: username = "admin'--" and password = "anything"
// Resulting query: SELECT * FROM users WHERE username = 'admin'--' AND password = 'anything'
// The -- comments out the password check, allowing admin login!

// SECURE CODE - Parameterized queries
String query = "SELECT * FROM users WHERE username = ? AND password = ?";
PreparedStatement pstmt = conn.prepareStatement(query);
pstmt.setString(1, username);
pstmt.setString(2, password);
ResultSet rs = pstmt.executeQuery();

Types of Injection Attacks

• SQL Injection: Most common, affects databases. Can lead to data theft, data manipulation, or complete database compromise
• NoSQL Injection: Affects MongoDB, CouchDB, and other NoSQL databases. Example: {"$ne": null} in login bypass
• Command Injection: Executes system commands. Example: ; rm -rf / in file operations
• LDAP Injection: Affects directory services. Can expose user information
• XPath Injection: Affects XML-based applications
• OS Command Injection: Executes operating system commands
• Code Injection: Executes arbitrary code (e.g., eval() in JavaScript)

Real-World Impact: Equifax Breach (2017)

While not solely due to SQL injection, the Equifax breach exploited an injection vulnerability in Apache Struts, leading to the exposure of 147 million consumers' personal information. This breach cost Equifax over $1.4 billion in settlements and fines.

Advanced SQL Injection Techniques

• Union-Based: Using UNION to extract data from other tables
• Boolean-Based Blind: Inferring data through true/false responses
• Time-Based Blind: Using delays (SLEEP, WAITFOR) to extract data
• Error-Based: Exploiting error messages to extract information
• Second-Order: Storing malicious input for later execution

NoSQL Injection Example

// VULNERABLE CODE
const user = db.users.findOne({
    username: req.body.username,
    password: req.body.password
});

// Attacker sends: {"username": {"$ne": null}, "password": {"$ne": null}}
// This bypasses authentication by matching any non-null value!

// SECURE CODE - Validate and sanitize input
const username = validator.escape(req.body.username);
const password = validator.escape(req.body.password);
const user = db.users.findOne({
    username: username,
    password: password
});

Mitigation Strategies

1. Use Parameterized Queries: Always use prepared statements or parameterized queries
2. Input Validation: Whitelist allowed characters and validate input format
3. Output Encoding: Encode output to prevent injection in downstream systems
4. Least Privilege: Database users should have minimum necessary permissions
5. Use ORMs: Object-Relational Mappers provide built-in protection
6. Stored Procedures: Use stored procedures with parameter validation
7. WAF (Web Application Firewall): Deploy WAF to filter malicious requests
8. Regular Security Testing: Use automated scanners and manual testing

Testing Tools

• SQLMap - Automated SQL injection tool
• Burp Suite - Manual testing and exploitation
• OWASP ZAP - Automated vulnerability scanning
• NoSQLMap - NoSQL injection exploitation tool

What is Insecure Design?

Insecure design is a broad category representing different weaknesses, expressed as "missing or ineffective control design." This is about risks related to design and architectural flaws.

Common Examples:

• Missing threat modeling
• Insecure coding patterns
• Missing or ineffective control design

What is Security Misconfiguration?

Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information.

Common Examples:

• Unnecessary features enabled or installed
• Default accounts and their passwords still enabled and unchanged
• Error handling that reveals stack traces or other overly informative error messages

What are Vulnerable Components?

You are likely vulnerable if you do not know the versions of all components you use, if the software is vulnerable, unsupported, or out of date.

Common Examples:

• Components that are not up to date
• Unsupported or outdated software
• Lack of security monitoring

What are Authentication Failures?

Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks.

Common Examples:

• Brute force attacks
• Use of weak passwords
• Session fixation attacks

What are Integrity Failures?

Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations.

Common Examples:

• Insecure deserialization
• Supply chain attacks
• Code integrity failures

What are Logging Failures?

Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to persist with attacks.

Common Examples:

• Auditable events are not logged
• Warnings and errors generate no, inadequate, or unclear log messages
• Logs are not monitored for suspicious activity

What is SSRF?

SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL.

Common Examples:

• Accessing internal services
• Port scanning internal networks
• Cloud metadata attacks