OWASPweb securityvulnerabilitiessecurity guide

Complete Guide to OWASP Top 10 Vulnerabilities (2024)

2025-01-17
5 min read

Learn about the top 10 most critical web application security risks and how to prevent them with detailed examples and best practices.

Web application security is one of the most critical aspects of modern development. The OWASP (Open Web Application Security Project) publishes an annual list of the most dangerous web application security risks. This guide provides an in-depth look at the 2024 OWASP Top 10 vulnerabilities.

1. Broken Access Control

Description

Users can access data or functions beyond their intended permissions.

Example

// Vulnerable code
app.get('/user/:id/profile', (req, res) => {
  const userId = req.params.id;
  // No comparison with current logged-in user
  const profile = getUserProfile(userId);
  res.json(profile);
});

// Secure code
app.get('/user/:id/profile', authenticateUser, (req, res) => {
  const userId = req.params.id;
  // Add authorization check
  if (req.user.id !== userId && !req.user.isAdmin) {
    return res.status(403).json({ error: 'Unauthorized access' });
  }
  const profile = getUserProfile(userId);
  res.json(profile);
});

Prevention

  • Implement access control on all API endpoints
  • Use session-based or JWT authentication
  • Apply the principle of least privilege

2. Cryptographic Failures

Description

Occurs when sensitive data is not properly encrypted or weak encryption is used.

Prevention

  • Use HTTPS for data in transit
  • Hash passwords with strong algorithms like bcrypt or Argon2
  • Encrypt sensitive data at rest
// Password hashing with bcrypt
const bcrypt = require('bcrypt');

async function hashPassword(password) {
  const saltRounds = 10;
  return await bcrypt.hash(password, saltRounds);
}

async function verifyPassword(password, hash) {
  return await bcrypt.compare(password, hash);
}

3. Injection

Description

Occurs when untrusted data is sent as part of a command or query.

SQL Injection Example

// Vulnerable code
const query = `SELECT * FROM users WHERE username = '${username}' AND password = '${password}'`;

// Secure code (using Prepared Statements)
const query = 'SELECT * FROM users WHERE username = ? AND password = ?';
db.query(query, [username, hashedPassword]);

Prevention

  • Use Prepared Statements or Parameterized Queries
  • Use ORMs (Sequelize, TypeORM, etc.)
  • Validate and escape input

4. Insecure Design

Description

Security flaws in the design phase that cannot be fixed through implementation.

Prevention

  • Perform threat modeling
  • Apply secure design patterns
  • Consider security from the initial development stage

5. Security Misconfiguration

Description

Vulnerabilities due to incomplete or incorrect security configurations.

Checklist

  • Remove unnecessary features, pages, and accounts
  • Change default accounts and passwords
  • Disable detailed error messages
  • Set security headers (CSP, HSTS, etc.)
// Express.js security headers
const helmet = require('helmet');
app.use(helmet());

// Hide detailed error messages
app.use((err, req, res, next) => {
  console.error(err.stack);
  res.status(500).json({
    error: process.env.NODE_ENV === 'production'
      ? 'Internal server error'
      : err.message
  });
});

6. Vulnerable and Outdated Components

Description

Using libraries or frameworks with known vulnerabilities.

Prevention

  • Regularly update dependencies
  • Run npm audit or yarn audit
  • Use tools like Dependabot or Snyk
# Check for vulnerabilities
npm audit

# Auto-fix
npm audit fix

# Force update
npm audit fix --force

7. Identification and Authentication Failures

Description

Vulnerabilities due to weak authentication mechanisms.

Prevention

  • Implement multi-factor authentication (MFA)
  • Enforce strong password policies
  • Set session timeouts
  • Prevent brute force attacks
// Rate limiting
const rateLimit = require('express-rate-limit');

const loginLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 5, // Max 5 attempts
  message: 'Too many login attempts. Please try again after 15 minutes.'
});

app.post('/login', loginLimiter, loginHandler);

8. Software and Data Integrity Failures

Description

Occurs when code and infrastructure don't verify integrity.

Prevention

  • Integrate security scans into CI/CD pipeline
  • Use digital signatures
  • Apply Subresource Integrity (SRI)
<!-- Loading external script with SRI -->
<script
  src="https://cdn.example.com/library.js"
  integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
  crossorigin="anonymous">
</script>

9. Security Logging and Monitoring Failures

Description

Failing to properly log and monitor security events, making attacks undetectable.

Prevention

  • Log all authentication attempts
  • Log important transactions
  • Set up real-time monitoring and alerts
// Security logging with Winston
const winston = require('winston');

const securityLogger = winston.createLogger({
  level: 'info',
  format: winston.format.json(),
  transports: [
    new winston.transports.File({ filename: 'security.log' })
  ]
});

// Log login attempts
app.post('/login', (req, res) => {
  securityLogger.info({
    event: 'login_attempt',
    username: req.body.username,
    ip: req.ip,
    timestamp: new Date(),
    userAgent: req.get('user-agent')
  });
  // Login logic...
});

10. Server-Side Request Forgery (SSRF)

Description

Occurs when an application fetches remote resources without validating user input.

Example

// Vulnerable code
app.get('/fetch', async (req, res) => {
  const url = req.query.url;
  const response = await fetch(url); // Dangerous!
  res.send(await response.text());
});

// Secure code
app.get('/fetch', async (req, res) => {
  const url = req.query.url;

  // URL whitelist validation
  const allowedDomains = ['api.example.com', 'cdn.example.com'];
  const urlObj = new URL(url);

  if (!allowedDomains.includes(urlObj.hostname)) {
    return res.status(403).json({ error: 'Domain not allowed' });
  }

  const response = await fetch(url);
  res.send(await response.text());
});

Automated Vulnerability Scanning with VibeScan

Manually checking for all OWASP Top 10 vulnerabilities is time-consuming. With VibeScan, you can automatically scan for 12,000+ vulnerability patterns in just 5 minutes.

VibeScan Benefits

  • ✅ Complete OWASP Top 10 automated scanning
  • ✅ Nuclei & ZAP engine-based
  • ✅ AI-powered vulnerability prioritization
  • ✅ Ready-to-apply fix code

Conclusion

The OWASP Top 10 is the foundation of web application security. Understanding each vulnerability and applying appropriate defenses can prevent most security incidents.

Security is not a one-time achievement but requires continuous effort. Maintain secure web applications through regular security checks with VibeScan.

References:

Start Security Scanning with VibeScan Now

Automatically scan 12,000+ vulnerability patterns in 5 minutes