Introduction

The OWASP Top 10 is a globally recognized standard for the most critical security risks to web applications. Managed by the Open Worldwide Application Security Project (OWASP), the Top 10 list is updated regularly based on data from security experts, developers, and organizations worldwide.

This guide explores each of the OWASP Top 10 vulnerabilities, explains how they work, how attackers exploit them, and most importantly, how to mitigate them using secure coding practices and security tools—including examples with Kali Linux.

1. Broken Access Control

Description:

Broken access control refers to failures in enforcing restrictions on what authenticated users are allowed to do. This can allow attackers to gain unauthorized access to resources or functionalities.

Real-World Example:

An attacker changes the user_id in the URL from /profile/123 to /profile/124 and views another user's data.

Impact:

  • Unauthorized data access

  • Privilege escalation

  • Data manipulation or deletion

Mitigation:

  • Enforce server-side access controls

  • Implement role-based access control (RBAC)

  • Use deny by default policies

2. Cryptographic Failures (Formerly: Sensitive Data Exposure)

Description:

This risk involves failing to properly protect sensitive data through encryption or hashing. Examples include transmitting data over HTTP, weak encryption algorithms, or storing passwords in plaintext.

Real-World Example:

An e-commerce site transmits credit card data in plaintext over HTTP.

Impact:

  • Identity theft

  • Financial fraud

  • GDPR and legal violations

Mitigation:

  • Use HTTPS everywhere (TLS 1.2+)

  • Encrypt sensitive data at rest and in transit

  • Never store passwords in plaintext—use bcrypt, scrypt, or Argon2

3. Injection (e.g., SQL, NoSQL, OS, LDAP)

Description:

Injection attacks occur when untrusted data is sent to an interpreter as part of a command or query. Attackers can trick the interpreter into executing unintended commands.

Real-World Example:

sql

SELECT * FROM users WHERE username = '$input' AND password = '$input';

An attacker inputs ' OR '1'='1 to bypass login.

Impact:

  • Unauthorized access

  • Data loss or corruption

  • Full system compromise

Mitigation:

  • Use prepared statements and parameterized queries

  • Validate and sanitize all inputs

  • Use ORM (Object Relational Mapping) libraries

Tool: sqlmap (Kali Linux)

bash

sqlmap -u "http://example.com/page?id=1"

4. Insecure Design

Description:

Insecure design refers to flaws in the architecture of a system that lead to security vulnerabilities. It emphasizes the importance of security by design and threat modeling.

Real-World Example:

A multi-tenant application doesn’t enforce strict separation between tenants, allowing data leakage.

Impact:

  • Data exposure

  • System-wide compromise

Mitigation:

  • Perform threat modeling during design

  • Implement secure development lifecycle (SDLC)

  • Enforce strong business logic validation

5. Security Misconfiguration

Description:

This involves incorrect configuration of security headers, cloud storage permissions, software, or default accounts.

Real-World Example:

An admin panel is publicly accessible at /admin without authentication.

Impact:

  • Remote code execution

  • Data leakage

  • Unauthorized system control

Mitigation:

  • Harden server configurations

  • Use automated scanning tools

  • Change default credentials

Tool: nikto, nmap, wpscan

6. Vulnerable and Outdated Components

Description:

Using libraries, frameworks, or software with known vulnerabilities can lead to exploitation.

Real-World Example:

Using a vulnerable version of Apache Struts led to the Equifax breach.

Impact:

  • Full system compromise

  • Malware infection

  • Data theft

Mitigation:

  • Use dependency checkers (OWASP Dependency-Check, Snyk)

  • Regularly update components

  • Subscribe to CVE feeds

7. Identification and Authentication Failures

Description:

Flaws in authentication mechanisms can allow attackers to compromise passwords, keys, or session tokens.

Real-World Example:

No account lockout mechanism allows brute-force attacks.

Impact:

  • Account takeover

  • Privilege escalation

Mitigation:

  • Implement MFA (Multi-Factor Authentication)

  • Enforce strong password policies

  • Monitor login attempts

Tool: Hydra in Kali Linux

bash

hydra -l admin -P passwords.txt target.com http-post-form "/login:username=^USER^&password=^PASS^"

8. Software and Data Integrity Failures

Description:

These failures occur when applications rely on insecure software updates, plugins, or code repositories without integrity verification.

Real-World Example:

Unverified automatic updates deliver malicious code via MITM.

Impact:

  • Malware infection

  • Supply chain attacks

Mitigation:

  • Use signed packages and software updates

  • Implement code signing verification

  • Enable Subresource Integrity (SRI) in web applications

9. Security Logging and Monitoring Failures

Description:

Lack of proper logging or monitoring can delay detection and response to breaches.

Real-World Example:

A SQL injection attack goes unnoticed because logs aren't properly configured.

Impact:

  • Extended breach duration

  • Incomplete incident response

  • Regulatory non-compliance

Mitigation:

  • Log all security-relevant events

  • Implement centralized logging with alerts

  • Use SIEM tools (Security Information and Event Management)

10. Server-Side Request Forgery (SSRF)

Description:

SSRF occurs when a web application fetches a remote resource without validating the user-supplied URL, allowing attackers to access internal systems.

Real-World Example:

A vulnerable image upload tool fetches URLs and allows internal network scanning.

Impact:

  • Internal network scanning

  • Sensitive data exposure

  • Cloud metadata access

Mitigation:

  • Validate all URLs

  • Disable unnecessary network access

  • Use allowlists for outbound requests

Tool: Burp Suite, curl

bash

curl -X POST http://example.com/fetch --data "url=http://169.254.169.254/latest/meta-data/"

Bonus: How to Practice OWASP Top 10 in Kali Linux

Several platforms and tools can help you practice identifying and exploiting these vulnerabilities:

1. DVWA (Damn Vulnerable Web Application)

bash

git clone https://github.com/digininja/DVWA.git

2. OWASP Juice Shop

bash

docker pull bkimminich/juice-shop

3. Metasploitable 2

Run in VirtualBox or VMware to simulate vulnerable servers.

Conclusion

The OWASP Top 10 is not just a checklist—it's a framework for understanding and mitigating the most critical risks to web applications today. Whether you’re a developer, penetration tester, or security architect, familiarity with these vulnerabilities is essential to building and securing modern applications.

Kali Linux provides a wide array of tools for learning and testing each of these vulnerabilities in a safe, legal, and educational environment. Use these tools responsibly to enhance your understanding and contribute to a more secure web.