SimplyAdvanced.dev

OWASP Top 10

By Habib Pourfard

OWASP stands for Open Web Application Security Project. It is a global, non-profit organisation focused on improving the security of software through community-driven standards, tools, and best practices.

OWASP Top 10 (2025 RC1)

Broken Access Control

Broken Access Control

Users acting outside their intended permissions

Detection Tools: Checkmarx, Burp Suite Pro, Veracode OWASP ZAP, SonarQube Community

Example: A regular user modifies the URL parameter acct=123 to acct=456 to access another user's account data or admin functionality.

  • .NET: Use [Authorize] attributes and policy-based authorisation
  • React: Implement protected routes with server-side authorisation checks
  • Deny by default - only grant access when explicitly allowed
Security Misconfiguration

Security Misconfiguration

Insecure default settings or incomplete configs

Detection Tools: Tenable.io, Qualys ScoutSuite, OpenVAS

Example: Using default admin credentials (admin/admin), leaving debug mode enabled in production, or exposing unnecessary services and ports.

  • .NET: Disable detailed error pages in Production
  • React: Remove console.log and debug code in production builds
  • Automate verification of configuration
Software Supply Chain Failures

Supply Chain Failures

Compromised dependencies, build systems, or distribution

Detection Tools: Sonatype, Checkmarx OWASP Dependency-Check, npm audit

Example: A malicious package in npm or a compromised build pipeline (like SolarWinds 2019) injects backdoors into your application.

  • .NET: Use NuGet package signing and scan with OWASP Dependency-Check
  • React: Run npm audit regularly and use package-lock.json
  • Maintain an SBOM (Software Bill of Materials)
Cryptographic Failures

Cryptographic Failures

Weak encryption or exposed sensitive data

Detection Tools: Checkmarx, Veracode, Fortify Snyk Open Source, SSL Labs, Trivy

Example: Passwords stored in plain text or using MD5/SHA1 for hashing. Not enforcing TLS, allowing attackers to intercept traffic.

  • .NET: Use Data Protection API, enforce HTTPS, use bcrypt/Argon2 for passwords
  • React: Never store secrets client-side; use HTTPS and secure cookies
  • Use strong algorithms: AES-256, TLS 1.2+, Argon2/bcrypt
Injection

Injection

Malicious code or commands in input fields

Detection Tools: Checkmarx, Burp Suite Pro, Fortify SQLMap, OWASP ZAP, SonarQube

Example: SQL Injection: Input ' OR 1=1-- bypasses authentication. XSS: Input <script>alert('XSS')</script> executes malicious JavaScript.

  • .NET: Use Entity Framework with parameterized queries, never concatenate SQL
  • React: Sanitize inputs, avoid dangerouslySetInnerHTML, use DOMPurify
  • Use parameterized queries, ORMs, and input validation
Insecure Design

Insecure Design

Flaws in logic and architectural design

Detection Tools: IriusRisk, Microsoft Threat Modeling OWASP Threat Dragon, Threagile

Example: An e-commerce app allows unlimited password reset attempts without rate limiting or CAPTCHA.

  • .NET: Implement rate limiting middleware
  • React: Add CAPTCHA and client-side validation
  • Shift Left - Security at design phase
Authentication Failures

Authentication Failures

Weak confirmation of user identity

Detection Tools: Burp Suite Pro, Checkmarx OWASP ZAP, Hydra

Example: Allowing weak passwords like password123 or not implementing multi-factor authentication.

  • .NET: Use ASP.NET Core Identity with MFA
  • React: Implement OAuth2/OpenID Connect with secure token storage
  • Enforce strong password policies
Integrity Failures

Data Integrity Failures

Code or data tampering without verification

Detection Tools: Sonatype, Checkmarx Sigstore, npm audit, Git commit signing

Example: Unsigned updates allow attackers to inject malicious code. Insecure deserialisation lets attackers execute arbitrary code.

  • .NET: Sign assemblies, verify signatures, avoid insecure deserialisation
  • React: Use Subresource Integrity (SRI) for CDN resources
  • Sign code and verify integrity; secure CI/CD pipelines
Logging Failures

Logging & Alerting Failures

Inability to detect and respond to breaches

Detection Tools: Splunk, Datadog, New Relic ELK, Graylog

Example: Not logging failed login attempts or security events means you can't detect ongoing attacks or investigate breaches.

  • .NET: Use Serilog/NLog with structured logging and alerting
  • React: Send errors to monitoring services (Sentry, LogRocket)
  • Log security events with alerting; ensure tamper-proof storage
Mishandling Exceptions

Mishandling of Exceptions

Poor error handling leading to security issues

Detection Tools: Checkmarx, Veracode, Fortify SonarQube, Semgrep, ESLint, AFL Fuzzer

Example: Detailed error messages reveal database structure. Unhandled exceptions crash the app or expose system paths and configuration.

  • .NET: Use global exception handlers; return generic error messages to users
  • React: Implement Error Boundaries; log but don't expose errors
  • Fail securely (closed); never expose sensitive information in errors