Web Application Security: OWASP
What Is Web Application Security?
Web application security refers to securing websites and online services against security threats and cyberattacks that exploit vulnerabilities in their code, configuration, or architecture.
Why It Matters
Protects sensitive user data (emails, passwords, financial info).
Ensures trust and brand integrity.
Compliance with legal and regulatory standards.
Prevents financial and reputational losses.
OWASP Top 10 Web Application Vulnerabilities Top 10
- Broken Access Control
Explanation: Users can access unauthorized data/functions.
Types:
Insecure Direct Object References (IDOR)
Forced browsing
Missing access control checks
Example: User A can access User B’s data by changing the user ID in the URL.
Mitigation:
Enforce role-based access control
Deny by default
Avoid exposing internal object references
- Cryptographic Failures (Previously: Sensitive Data Exposure)
Explanation: Weak/missing encryption exposes sensitive data.
Examples:
Using HTTP instead of HTTPS
Storing passwords without hashing
Mitigation:
Use strong encryption (AES-256, HTTPS)
Hash passwords using bcrypt, Argon2
- Injection (SQL, OS, LDAP, etc.)
Explanation: Untrusted data is interpreted as code/commands.
Types:
SQL Injection
Command Injection
LDAP Injection
XPath Injection
Example: ' OR ‘1’='1 in login field
Mitigation:
Use parameterized queries
Input validation and sanitization
- Insecure Design
Explanation: Flaws at the design phase — not just code errors.
Examples:
No business logic validation
Lack of threat modeling
Mitigation:
Security by design
Threat modeling in early stages
- Security Misconfiguration
Explanation: Default settings, unnecessary features, error messages reveal too much.
Examples:
Default admin credentials
Stack traces shown in production
Mitigation:
Harden environments
Disable verbose error messages
Regular security audits
- Vulnerable and Outdated Components
Explanation: Using outdated libraries/software with known vulnerabilities.
Example: Running a vulnerable version of Log4j
Mitigation:
Maintain software inventory
Regular patching and updates
Use tools like OWASP Dependency-Check
- Identification and Authentication Failures
Explanation: Poor authentication or session management.
Examples:
Weak passwords allowed
Session IDs not rotated after login
Mitigation:
Multi-factor authentication
Secure session handling
Lock accounts after failed attempts
- Software and Data Integrity Failures
Explanation: Relying on untrusted data/software.
Examples:
CI/CD pipeline pulling unverified code
Using unsigned updates
Mitigation
Code signing
Hash verification
Supply chain validation
- Security Logging and Monitoring Failures
Explanation: Missing or weak logging hinders breach detection.
Examples:
No alerts on suspicious logins
Mitigation:
Centralized logging
Intrusion detection
Log retention and analysis
- Server-Side Request Forgery (SSRF)
Explanation: Server is tricked into making a request to internal systems.
Example: Attacker makes a request like http://localhost/admin
Mitigation:
Input validation on URLs
Avoid fetching user-submitted URLs
- Cross-Site Scripting (XSS)
Explanation: Malicious script is injected into websites.
Types:
Stored XSS
Reflected XSS
DOM-based XSS
Mitigation:
Encode output
Use CSP (Content Security Policy)
- Cross-Site Request Forgery (CSRF)
Explanation: Tricking authenticated users into submitting unwanted actions.
Example: Auto-submitting a form from another site
Mitigation:
CSRF tokens
SameSite cookie attribute
- Clickjacking
Explanation: UI tricking user into clicking invisible elements
Mitigation:
Use X-Frame-Options: DENY
Use frame busting scripts
- Path Traversal
Explanation: Accessing files outside intended directory
Example: ../../etc/passwd
Mitigation:
Sanitize file paths
Use safe API functions
- Unvalidated Redirects and Forwards
Explanation: Attacker redirects victim to a malicious site
Mitigation:
Avoid dynamic redirects
Validate URLs
- Race Conditions
Explanation: Multiple operations interfere with each other
Example: Two withdrawal requests at the same time
Mitigation:
Locking
Avoid shared mutable state
- Business Logic Vulnerabilities
Explanation: Logical flaws in the workflow
Examples:
Buying products for negative prices
Skipping payment step
Mitigation:
Threat modeling
Manual business logic review
- Mass Assignment
Explanation: Automatic mapping allows overposting
Example: Setting isAdmin=true in form data
Mitigation:
Use whitelisting
Validate allowed fields
- XML External Entity (XXE)
Explanation: Parsing XML with external entities
Mitigation:
Disable external entity resolution
Use secure XML parsers
- Command Injection
Explanation: Execute system-level commands via input
Example: ; rm -rf /
Mitigation:
Avoid using exec() with user input
Use secure libraries
- Insecure Deserialization
Explanation: Untrusted data is deserialized into objects
Example: Remote code execution
Mitigation:
Avoid deserializing untrusted data
Use signed tokens (like JWT)
- Broken Object-Level Authorization
Explanation: APIs allowing access to others’ data via object IDs
Mitigation:
Implement object-level checks
Avoid exposing internal IDs
- Insufficient Logging & Monitoring
Explanation: Attacks go unnoticed
Mitigation:
Alerting, centralized log systems
Anomaly detection
- Improper Error Handling
Explanation: Leaking internal information via errors
Example: Database errors showing query
Mitigation:
Use generic error messages
Log full error details privately
- Improper Session Management
Explanation: Sessions don’t expire or regenerate securely
Mitigation:
Short session lifetimes
Rotate session IDs after login
OWASP Tools for Detection
What Are OWASP Detection Tools?
OWASP (Open Worldwide Application Security Project) provides open-source tools that help security professionals and developers detect vulnerabilities in web applications during various phases of development and deployment.
These tools support:
Vulnerability scanning
Fuzzing
Code analysis
Configuration checking
Penetration testing
API testing
Security automation
OWASP Official Detection Tools
- OWASP ZAP (Zed Attack Proxy)
Purpose: Dynamic application security testing (DAST)
Use:
Intercepts HTTP/HTTPS traffic between browser and web app
Actively scans for vulnerabilities (XSS, SQLi, CSRF, etc.)
Supports automation via API, Jenkins, and CI/CD
Key Features:
Passive and active scanning
Spider and AJAX spider
Scripting with Python/JavaScript
Plug-in marketplace
Ideal For: Developers, beginners, and pentesters
- OWASP Amass
Purpose: External asset discovery and attack surface mapping
Use:
DNS enumeration
Subdomain discovery
IP space mapping
Active and passive reconnaissance
Key Features:
Integrates with public data sources and APIs
Graph-based visualization
Supports automation and scripting
Ideal For: Reconnaissance, bug bounty hunters, red teamers
- OWASP Dependency-Check
Purpose: Detect known vulnerabilities in project dependencies (SCA – Software Composition Analysis)
Use:
Scans Java, Python, JavaScript, and .NET project libraries
Maps components to CVEs (Common Vulnerabilities and Exposures)
Integrates into build pipelines
Key Features:
CVE database updates
Integration with Jenkins, Maven, Gradle
Reports in HTML, XML, and JSON
Ideal For: DevSecOps and secure development
- OWASP DefectDojo
Purpose: Vulnerability management and orchestration
Use:
Aggregates findings from scanners and tools
Tracks vulnerabilities over time
Assigns severity, priority, and remediation status
Key Features:
API for integration
Multiple tool support (ZAP, Burp, Nessus, etc.)
Dashboards, metrics, risk scores
Ideal For: Security teams managing large scan outputs
- OWASP CycloneDX
Purpose: Software Bill of Materials (SBOM) standard
Use:
Defines what software components exist in an application
Supports supply chain transparency
Detects vulnerable components
Key Features:
Compatible with multiple formats (JSON, XML)
Widely supported by SCA tools
Used for compliance and risk evaluation
Ideal For: Organizations with large or third-party software use
- OWASP Security Knowledge Framework (SKF)
Purpose: Educate developers on secure coding practices
Use:
Teaches secure coding against OWASP Top 10, ASVS
Hands-on training and challenges
Provides code examples in multiple languages
Key Features:
Web interface for browsing vulnerabilities and solutions
Live challenges to practice detection/prevention
Ideal For: Developers, students, security trainers
- OWASP CSRFTester
Purpose: Detect CSRF (Cross-Site Request Forgery) vulnerabilities
Use:
Inserts CSRF test payloads
Observes application behavior to validate protection
Key Features:
Easy to use in test environments
Focused CSRF vulnerability verification
Importance of Using OWASP Tools
Help in early detection of flaws in the development cycle.
Integrate into CI/CD pipelines for continuous security.
Educate teams on security practices.
Support automation to reduce manual effort.
Ensure compliance with industry standards (OWASP Top 10, ASVS).
Integration with CI/CD Pipelines
Most OWASP tools support integration with platforms like:
Jenkins
GitHub Actions
GitLab CI/CD
Azure DevOps
Bitbucket Pipelines
This ensures:
Early alerts
Automated fixes
Quick feedback loops
Real-World Case Uses of OWASP Detection Tools
- OWASP ZAP (Zed Attack Proxy)
Case: Banking Web Application – Secure Deployment
Organization: A mid-size fintech company
Use:
Integrated ZAP into the CI/CD pipeline (via Jenkins)
Performed nightly scans of the production-like staging environment
Result:
Detected XSS vulnerabilities early before deployment
Saved ~$40,000 in breach mitigation costs
Ensured PCI DSS compliance
Penetration Testers:
Use ZAP to perform DAST scans of login portals, shopping carts, and admin panels
Automate scans with ZAP scripting engine (Python)
- OWASP Amass
Case: Bug Bounty – Asset Discovery
User: Bug bounty hunter on HackerOne
Use:
Used Amass to enumerate subdomains of a telecom company
Discovered forgotten admin panel on subdomain with outdated software
Result:
Reported critical RCE vulnerability
Earned $5,000 bounty
Enterprises:
Use Amass weekly to identify shadow IT assets, orphaned subdomains, and exposed APIs
- OWASP Dependency-Check
Case: E-commerce Platform – Preventing Open-Source Exploits
Company: Online retailer using Spring Boot (Java)
Use:
Integrated Dependency-Check into Maven builds
Scanned for CVEs in third-party libraries
Result:
Identified Log4j vulnerability during the global Log4Shell crisis
Patched within 4 hours, preventing possible data leaks
Passed ISO 27001 security audit
- OWASP DefectDojo
Case: DevSecOps Vulnerability Management at Scale
Company: SaaS provider with multiple microservices
Use:
Integrated reports from ZAP, Burp Suite, and Nessus into DefectDojo
Tracked vulnerabilities with SLAs and responsible teams
Result:
Reduced resolution time from 14 days to 4 days
Created centralized vulnerability dashboard for CISO review
- OWASP CycloneDX
Case: Government Contract – Software Supply Chain Compliance
Organization: Defense contractor
Use:
Generated SBOM (Software Bill of Materials) using CycloneDX format
Shared with federal agency to meet NIST 800-218 requirements
Result:
Approved for project continuation
Met US government’s cybersecurity executive order for SBOMs
- OWASP Security Knowledge Framework (SKF)
Case: University Secure Coding Program
Institution: Top tech university
Use:
Used SKF in software engineering classes
Hands-on labs to teach secure coding for OWASP Top 10 issues
Result:
Students better understood how to write secure code
Students participated in CTFs and ranked nationally
- OWASP CSRFTester
Case: Manual Testing – Banking CSRF Protection
Pentester: Freelance consultant testing a financial portal
Use:
Used CSRFTester to verify token implementation
Found a page with missing CSRF token on fund transfer request
Result:
Reported medium-risk vulnerability
Banking app improved token coverage
Combined Use in Real Life
DevSecOps Workflow in a Tech Startup
Amass used for weekly reconnaissance to map new domains.
ZAP scans triggered on every code push via GitHub Actions.
Dependency-Check scans every build for known CVEs.
DefectDojo ingests findings from ZAP and Dependency-Check.
CycloneDX generates SBOMs for supply chain transparency.
SKF trains developers to fix found issues properly.
