Close Menu
    What's Hot

    Ultimate Guide to Attack Surface Scanning

    April 10, 2025

    Recent Trends in Zero Trust Architecture

    March 3, 2025

    Modern Defensive Cybersecurity Services

    December 29, 2024
    Facebook X (Twitter) Instagram LinkedIn WhatsApp
    HITH Blog – HackerinthehouseHITH Blog – Hackerinthehouse
    • Bug Bounty

      A Beginner’s guide to Active Directory Penetration Testing

      June 21, 2023

      Building an XSS Scanner with Python

      February 27, 2023

      Journey to Website Security: Uncovering Hyperlink Injection Dangers

      February 24, 2023

      File Upload XSS | Find XSS in a different way while doing Bug bounty and Pentesting

      January 13, 2023

      How To Find DOM-based XSS Vulnerability

      December 27, 2022
    • Pen Testing

      Privileged Escalation: How Hackers Exploit Permissions to Compromise Your Systems

      March 5, 2024

      The Ultimate Guide to Vulnerability Scanning

      December 13, 2023

      Top 10 Tools for Real World Red Teaming

      November 18, 2023

      Locking Down OAuth 2.0: Critical Steps to Protect User Accounts and Data

      November 10, 2023

      Detailed guide on Password Transmutations

      April 29, 2023
    • Cyber Security

      Ultimate Guide to Attack Surface Scanning

      April 10, 2025

      Recent Trends in Zero Trust Architecture

      March 3, 2025

      Modern Defensive Cybersecurity Services

      December 29, 2024

      A Comprehensive Guide on Cyber Security Services VS Cyber Security Products

      June 14, 2024

      A Comprehensive Guide to Security Compliance

      May 6, 2024
    • Services
    • Product
      • Certifications
    • More
      1. Ethical Hacking
      2. Kali Linux
      3. Write Ups
      4. CTF
      5. Blockchain
      6. Machine Learning
      7. Computer Science
      8. View All

      Journey to Website Security: Uncovering Hyperlink Injection Dangers

      February 24, 2023

      Pentest/VAPT RoE and Best Practices

      February 3, 2023

      Emoji Deploy Attack Chain

      January 24, 2023

      Introduction to Information Security

      January 11, 2023

      Cyber Security Roadmap (Part-2)

      October 25, 2022

      How to install waybacksurls in kali linux (2022)

      September 23, 2022

      How To Find Hidden Parameters

      November 12, 2022

      Top 10 Subdomain Takeover Reports

      November 6, 2022

      Pause DeSync Attack :

      November 3, 2022

      Bypassing OTP Verification Methods

      October 31, 2022

      Tryhackme Vulnversity walkthrough

      September 26, 2022

      Ultimate Guide to Attack Surface Scanning

      April 10, 2025

      Recent Trends in Zero Trust Architecture

      March 3, 2025

      Modern Defensive Cybersecurity Services

      December 29, 2024

      Robotic Process Automation: The Key to Effortless Efficiency

      September 18, 2024

      A Peek into Facial Recognition Technology

      August 21, 2023

      How Data Scientists and Machine Learning Engineers Differs

      November 8, 2022

      Artificial Neural Networks with ML

      November 4, 2022

      INTRODUCTION TO MACHINE LEARNING

      October 20, 2022

      Robotic Process Automation: The Key to Effortless Efficiency

      September 18, 2024

      BCI: Merging Minds With Machines

      August 18, 2023

      Is Quantum Computing the future of Computing?

      August 16, 2023

      Ultimate Guide to Attack Surface Scanning

      April 10, 2025

      Recent Trends in Zero Trust Architecture

      March 3, 2025

      Modern Defensive Cybersecurity Services

      December 29, 2024

      Robotic Process Automation: The Key to Effortless Efficiency

      September 18, 2024
    HITH Blog – HackerinthehouseHITH Blog – Hackerinthehouse
    Home»Bug Bounty»A Comprehensive guide to Owasp Top 10
    Bug Bounty

    A Comprehensive guide to Owasp Top 10

    TheToySecBy TheToySecOctober 2, 2022Updated:November 5, 2022No Comments6 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email

    About OWASP

    OWASP stands for Open Web Application Security Project is a nonprofit organization aimed for improving Web Application Securities. It is an open source community based project where anyone can participate and contribute to OWASP related to the projects and more.

     

    About OWASP Top 10

    The OWASP Top 10 is a list of the 10 most important security risks affecting web applications. It is used to help developers to secure their applications better.

     

    What are the OWASP Top 10 Vulnerabilities?

    Well, OWASP released their Top 10 Vulnerabilities in 2021. Here are the detailed information about the top 10 vulnerabilities.

     

    A01. Broken Access Control 

    If these types of Vulnerabilities exists in a system then the attacker can function as an user or as an administrator of that particular vulnerable system.

    Scenario

    Let’s Suppose their is a website called “xyz.com” and their are two users. One is Bob and another is Alice. Here Bob is an attacker and Alice is a normal user or an Admin. There are some IDs are assigned to those users. For an example Bob has the ID which is “S098761” where Bob is only allowed to logged in to his ID and can view his information only. In another end Alice has a ID which is “Do45610” where Only Alice is only allowed to logged in to his ID and can view his information only. If Alice is an admin then in that case he can view or access every users details. For this Scenario Bob is just a normal user.

    So if Bob can intercept the request of Alice ID and able to change the ID of Alice and able to access the information then there is a broken access control vulnerability. E.g. Bob changed the ID of Alice from Do45610 to S098761 and controlling the ID of Alice.

     

    A02. Cryptographic Failure

    If these types of vulnerabilities exists then the important stored or transmitted data will be compromise such as credit card numbers, Social security numbers and Personal data like phone number, email etc.

    Scenario

    Let’s suppose the website “xyz” have no cryptographic mechanism in their system. So in this case the data is not encrypted and it is easy to bruteforce and get sensitive data.

     

    A03. Injection

    If these types of vulnerabilities exists then invalid data can be sent by an attacker into a web application in order to make the application do something it was not designed to do by the normal user.

    Scenario

    An awebsite called “xyz.com” uses untrusted data when constructing a vulnerable SQL call. In this attack an attacker can inject the code and takeover the database or some sensitive information of the “xyz.com” website.

     

    A04. Insecure Design

    These vulnerabilities are exists due to lack of security implementation in an application at the time of development. It denotes that the best practices for the designing an application has not been taken into consideration.

    Scenario

    Lets support there’s a website called “xyz.com” which does not have rate limiting against the endpoints of products which is used to add the product in the smartphone. The website usually sells some of the limited products which usually comes in the quantity of 200-400 usually. Now since the rate limiting has not been applied some of the malicious user might use bots who regularly check when the product is available and once the product is available they purchase most of their quantity and then resell it. So the users who are genuinely looking for the product won’t get it and due to heavy requests they will never be successful in purchasing a product.

     

    A05. Security Misconfiguration

    Security Misconfiguration happened when security settings are implemented and maintained as defaults.

    Scenario

    Let’s suppose “xyz.com” website has a database and where their databases credentials is default such as username is admin and password is password.

     

    A06. Vulnerable and Outdated Components

    Vulnerable and Outdated Component based vulnerabilities happens when a software component is unsupported, outdated or vulnerable to a known exploit. It can includes OS, Database, API and Server etc.

    Scenario

    Lets suppose a company called “xyz” using an Apache server version of 2.0 which is already vulnerable to SQL Injection. So in this case an attacker will be easily attack their server due to this vulnerable and outdated version.

     

    A07. Identification and Authentication Failures

    These can be related to authentication and session management, when implemented incorrectly, it allows attackers to compromise passwords, and sessions which can lead to stolen user’s identity and more.

    Scenario

    Lets suppose “xyz” website allows the use of weak or easy to guess passwords such as password, user123 etc.

     

    A08. Software and Data Integrity Failures

    These types of vulnerabilities happens when the identity of the apps or data is not checked or verification process is not well rounded that is like it can be bypassed or validation failure still lets the app to run.

    Scenario

    An application deserializes attacker supplied hostile objects, opening itself to vulnerability.

     

    A09. Security Logging and Monitoring Failures

    Logging and monitoring are quite critical and their absence or failures can directly impact visibility, incident alerting. Although it’s quite important to have a functional logging and monitoring system to collect logs and also give alerts if any malfunctions or errors happen, otherwise these can go unnoticed for a long time and cause a lot more damage.

    Scenario

    Let’s suppose “xyz.com” website has no limited login attempts in their system. So in this case it will be easy to bruteforce a user’s account as there’s no limited login attempts in the system. Apart from that let’s suppose also “xyz.com” website has no audit mechanism to capture the logs and important activities. So in this case it’s also a very risky factor for any website or application.

     

    A10. Server-Side Request Forgery

    Server Side Request Forgery (SSRF) attacks are used to target internal systems that are behind firewalls and are not accessible from the external network. It can be exploited to access internally running services like SSH, localhost, FTP etc. In a normal SSRF attack the attacker might cause the server to make a connection to internal services within the organization’s infrastructure which is not authorized for an external user.

    Scenario

    Let’s suppose “xyz.com” is only accepts png and jpg file can be uploaded in their server, but if you can exploit and able to upload a svg file or another file and that’s executed which is actually shouldn’t be accepted by the server then in that case that will be vulnerable to SSRF attack.

     

    I hope you enjoyed this post. If you really like this post then give your reaction and don’t forget to share it with others 🙂

     

    Thank you for reading this and have a nice stay there!

    Author

    • TheToySec
      TheToySec

      View all posts

    bugbounty bugbountytips Owasp Owasp top 10 pen testing vulnerability webapp pentesting
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleDigital Forensics Guide
    Next Article IDOR EXPLAINED
    TheToySec
    • LinkedIn

    Related Posts

    Pen Testing

    Privileged Escalation: How Hackers Exploit Permissions to Compromise Your Systems

    March 5, 2024
    Pen Testing

    The Ultimate Guide to Vulnerability Scanning

    December 13, 2023
    Pen Testing

    Top 10 Tools for Real World Red Teaming

    November 18, 2023
    Add A Comment
    Leave A Reply Cancel Reply

    Advertisement
    Top Posts

    How to install waybacksurls in kali linux (2022)

    September 23, 20222,487 Views

    File Upload XSS | Find XSS in a different way while doing Bug bounty and Pentesting

    January 13, 2023826 Views

    OSCP Cheat Sheet

    October 16, 2022687 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Advertisement
    X (Twitter) Instagram LinkedIn WhatsApp Telegram
    • About us
    • Contact Us
    • Privacy Policy
    • Terms
    © 2025 HITH Blog. Powered by Hackerinthehouse.

    Type above and press Enter to search. Press Esc to cancel.

    Ad Blocker Enabled!
    Ad Blocker Enabled!
    Our website is made possible by displaying online advertisements to our visitors. Please support us by disabling your Ad Blocker.