Skip to content

Instantly share code, notes, and snippets.

@aw-junaid

aw-junaid/Vulnerabilities.md

Created January 31, 2026 09:58
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save aw-junaid/36bfdfa2727f53ad63b85212fa2ec264 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save aw-junaid/36bfdfa2727f53ad63b85212fa2ec264 to your computer and use it in GitHub Desktop.
Download ZIP
Detailed breakdown of OWASP Top 10 web vulnerabilities: broken access control, cryptographic failures, injection, insecure design, security misconfig, vulnerable components, auth failures, integrity failures, logging/monitoring gaps, and SSRF—with theory and common locations.
Raw
Vulnerabilities.md

Top 10 OWASP Vulnerabilities: What They Are, Where to Find Them, and How They Work

Detailed breakdown of OWASP Top 10 web vulnerabilities: broken access control, cryptographic failures, injection, insecure design, security misconfig, vulnerable components, auth failures, integrity failures, logging/monitoring gaps, and SSRF—with theory and common locations.

1. Broken Access Control

What it is

Users can access resources, functions, or data they shouldn't be authorized to view or modify. This includes bypassing authorization checks, manipulating URLs, session identifiers, or API calls.

Theory

  • Horizontal privilege escalation: User A accesses User B's data (e.g., changing user_id=123 to user_id=456 in URL).
  • Vertical privilege escalation: Regular user gains admin privileges.
  • Insecure Direct Object References (IDOR): Predictable references (IDs, filenames) in URLs/parameters without authorization checks.
  • Missing function-level access control: Admin functions exposed to non-admins.

Where to look

  • URLs/Query strings: https://app.com/profile?user_id=456
  • POST/PUT/DELETE request parameters (API or form bodies)
  • Cookies/session tokens: Manipulating or stealing tokens to impersonate users
  • Hidden form fields/API endpoints: /admin, /api/v1/users/delete
  • File paths: Direct file access like /uploads/invoice_123.pdf
  • Mobile/SPA API calls: Inspect network traffic in browser DevTools or proxy

Common exploitation

  • Change parameter values (id, user, account, role)
  • Access admin panels without proper role check
  • Traverse directories: ../../etc/passwd
  • Replay or forge JWT/session tokens

2. Cryptographic Failures (formerly Sensitive Data Exposure)

What it is

Failure to properly protect sensitive data at rest or in transit using encryption, leading to exposure of passwords, credit cards, health records, PII, etc.

Theory

  • Weak or missing encryption: Plain HTTP, weak SSL/TLS (old versions, bad ciphers)
  • Hardcoded secrets: API keys/passwords in source code, config files, or client-side JS
  • Weak hashing algorithms: MD5, SHA1 for passwords (no salt/iterations)
  • Insecure key storage: Keys in code, environment variables visible in errors, or world-readable files
  • Data at rest not encrypted: Databases, backups, logs storing passwords/tokens in plaintext

Where to look

  • HTTP traffic (no HTTPS): Intercept login forms, API calls
  • Browser DevTools > Network tab: Check if sensitive data sent over HTTP
  • Client-side code: View source or JS for embedded secrets/API keys
  • Configuration files: .env, config.php, web.config exposed via misconfig or GitHub
  • Cookie attributes: Missing Secure, HttpOnly, SameSite
  • Database dumps, backups, or logs accessible via misconfig
  • Error messages/stack traces revealing secrets or internal paths

Common exploitation

  • Man-in-the-middle (MITM) attacks on HTTP
  • Steal API keys from JS bundles or public repos
  • Crack weakly hashed passwords (MD5/SHA1 rainbow tables)
  • Access plaintext database backups

3. Injection

What it is

Untrusted user input is sent to an interpreter (SQL, OS shell, LDAP, XML, etc.) as part of a command or query, allowing attackers to execute arbitrary code or access unauthorized data.

Theory

  • Application concatenates user input directly into queries/commands without validation or parameterization.
  • Special characters (quotes, semicolons, pipes) are interpreted as control characters.

Types

  • SQL Injection (SQLi): Manipulate database queries
  • Command Injection (OS): Execute shell commands
  • LDAP Injection: Manipulate directory queries
  • XPath/XML Injection: Alter XML queries
  • NoSQL Injection: Exploit JSON/MongoDB queries
  • Template Injection (SSTI): Inject code into template engines

Where to look

  • Login forms: Username/password fields
  • Search boxes: Any user-supplied search term
  • URL parameters: ?id=1, ?sort=name, ?filter=admin
  • Form inputs: All text, textarea, hidden fields
  • HTTP headers: User-Agent, Referer, X-Forwarded-For (less common but possible)
  • File upload fields: Filename parameter
  • API JSON/XML bodies: POST/PUT request payloads
  • Cookie values

Common exploitation

  • SQL Injection: ' OR 1=1--, '; DROP TABLE users--, UNION SELECT to extract data
  • Command Injection: ; ls -la, | whoami, backticks or $() in inputs
  • LDAP Injection: *)(uid=*))(|(uid=*
  • Template Injection: {{7*7}}, <%= system('id') %>

4. Insecure Design

What it is

Flaws in the architecture, threat model, and design phase—not implementation bugs. Missing or ineffective security controls by design.

Theory

  • Failure to model threats during design (no "shift-left security")
  • Business logic flaws that allow unintended workflows
  • Lack of input validation at design level
  • No rate limiting, fraud controls, or abuse prevention

Where to look

  • Business logic workflows: Password reset, coupon codes, multi-step checkout
  • State transitions: Order processing, account status changes
  • Race conditions: Simultaneous requests exploiting time-of-check vs time-of-use
  • Missing rate limits: APIs, login, registration, promo code redemption
  • Trust boundaries: Client-side validation only, trusting user roles from cookies
  • Architecture diagrams: Look for single points of failure, missing authentication gates

Common exploitation

  • Redeem the same coupon multiple times
  • Bypass multi-factor by skipping a step in the flow
  • Race two requests to withdraw money twice from one balance
  • Submit negative quantity to get refunds
  • Register unlimited accounts (no CAPTCHA or rate limit)

5. Security Misconfiguration

What it is

Insecure default configurations, incomplete/ad-hoc configs, open cloud storage, verbose error messages, missing patches, unused features enabled.

Theory

  • Defaults are insecure (default passwords, sample accounts)
  • Unnecessary services/features enabled (debug mode, directory listing)
  • Missing security headers
  • Unpatched systems/libraries
  • Overly permissive cloud IAM or storage ACLs

Where to look

  • Default credentials: admin:admin, root:root
  • Directory listing enabled: Browse /uploads/, /backup/, /config/
  • Error pages: Stack traces, framework version, database connection strings
  • HTTP headers missing: No X-Content-Type-Options, X-Frame-Options, Content-Security-Policy, Strict-Transport-Security
  • Cloud buckets: Public S3, Azure Blobs, Google Storage
  • Management interfaces exposed: phpMyAdmin, Jenkins, admin panels on public IPs
  • Sample/test files left in production: test.php, phpinfo.php, .git, .env
  • Outdated software versions: Check response headers, error pages, or /readme.html

Common exploitation

  • Access /admin with default password
  • Download .git folder and reconstruct source code
  • Read phpinfo.php for internal config/secrets
  • Enumerate cloud buckets: https://bucketname.s3.amazonaws.com/
  • Exploit known CVEs in outdated frameworks

6. Vulnerable and Outdated Components

What it is

Using libraries, frameworks, or dependencies with known vulnerabilities (often unpatched or end-of-life).

Theory

  • Developers rely on third-party code (npm, PyPI, Maven, NuGet)
  • Many don't track versions or CVEs
  • Transitive dependencies can also be vulnerable

Where to look

  • Client-side libraries: Check JS files for jQuery, Bootstrap, Angular versions
  • Server response headers: X-Powered-By: PHP/5.6.40, Server: Apache/2.2.15
  • Error messages/stack traces: Framework and library names/versions
  • /package.json, /composer.json, /requirements.txt (if exposed)
  • Software Composition Analysis (SCA) tools: Snyk, Dependabot, OWASP Dependency-Check
  • Known CVE databases: Check versions against NVD, Exploit-DB

Common exploitation

  • Exploit known CVEs: Struts RCE, Log4Shell, old jQuery XSS
  • Dependency confusion attacks (private package names hijacked on public repos)
  • Supply chain attacks via compromised packages

7. Identification and Authentication Failures (formerly Broken Authentication)

What it is

Flaws that allow attackers to compromise passwords, keys, session tokens, or exploit implementation bugs to assume another user's identity.

Theory

  • Weak password policies (no complexity/length requirements)
  • Credential stuffing (reused passwords from breaches)
  • Session fixation or predictable session IDs
  • Missing or bypassable MFA
  • Insecure password recovery (security questions, token in URL)

Where to look

  • Login/registration forms: Password policy, account lockout, rate limiting
  • Session cookies: Predictable values, missing HttpOnly/Secure flags
  • Password reset flows: Token in URL/email, no expiration, reusable tokens
  • "Remember me" functionality: Weak or long-lived tokens
  • Multi-factor authentication: SMS (SIM swap risk), TOTP bypass via backup codes
  • API authentication: Weak API keys, OAuth misconfigurations
  • Logout functionality: Session not invalidated server-side

Common exploitation

  • Brute force login (if no rate limit/CAPTCHA)
  • Credential stuffing with leaked password lists
  • Session hijacking via XSS or network sniffing (HTTP)
  • Fixate session ID before login
  • Bypass MFA by directly accessing post-login page
  • Reuse password reset tokens

8. Software and Data Integrity Failures

What it is

Code and infrastructure that rely on plugins, libraries, or modules from untrusted sources or insecure CI/CD pipelines, and applications that don't verify integrity (e.g., unsigned updates, no checksums).

Theory

  • Insecure deserialization: Untrusted data reconstructed as objects (can lead to RCE)
  • No integrity checks on updates/packages
  • Compromised CI/CD pipeline injects malicious code
  • Auto-update mechanisms fetch over HTTP or without signature verification

Where to look

  • Serialized data in cookies/parameters: Java serialized objects, Python pickle, PHP unserialize()
  • CI/CD configs: .gitlab-ci.yml, Jenkinsfile, GitHub Actions workflows exposed or writable
  • Third-party CDN scripts: <script src="https://untrusted-cdn.com/lib.js">
  • Update mechanisms: Software update URLs, package managers fetching over HTTP
  • Plugins/extensions: CMS plugins (WordPress, Joomla) installed from unofficial sources

Common exploitation

  • Insecure deserialization RCE: Java ysoserial, PHP object injection
  • Supply chain compromise: Inject malicious commit into CI/CD
  • Man-in-the-middle auto-update (HTTP, no signature)
  • Malicious NPM/PyPI package with similar name (typosquatting)

9. Security Logging and Monitoring Failures

What it is

Insufficient logging, detection, monitoring, and incident response allow attackers to remain undetected, pivot to other systems, tamper with data, or extract/destroy data.

Theory

  • Critical events not logged (login failures, access to sensitive data, privilege changes)
  • Logs not monitored or reviewed
  • Logs stored insecurely or tampered with
  • No alerting on suspicious activity
  • Inadequate incident response plan

Where to look

  • Application logs: Check if login attempts, errors, admin actions are logged
  • Web server logs: Access logs (access.log), error logs
  • Database logs: Query logs, failed authentication
  • SIEM/centralized logging: Splunk, ELK, CloudWatch—are they configured?
  • Audit trails: User actions, configuration changes, data access
  • Alerting rules: Do alerts fire on repeated 401s, privilege escalation, data exfiltration?

Common indicators of failure

  • No logs for failed login attempts
  • Successful attack goes unnoticed for weeks/months
  • Logs not reviewed (no SOC/monitoring team)
  • Logs stored locally and easily deleted by attacker
  • No integrity protection (attacker can modify logs)

How this enables exploitation

  • Attacker can brute force slowly without detection
  • Privilege escalation not noticed
  • Data exfiltration happens silently
  • Forensics impossible post-breach

10. Server-Side Request Forgery (SSRF)

What it is

A web application fetches a remote resource without validating the user-supplied URL, allowing an attacker to make the server send requests to internal systems, cloud metadata APIs, or external services.

Theory

  • Application accepts a URL parameter and fetches it server-side
  • No validation/whitelist of allowed hosts
  • Internal network/localhost accessible from the server
  • Cloud metadata endpoints (169.254.169.254) exposed

Where to look

  • URL parameters: ?url=, ?page=, ?file=, ?image=, ?fetch=
  • Webhook/callback URLs: Integrations, payment gateways, notifications
  • Import/export features: Import data from URL, fetch remote config
  • PDF generators: HTML-to-PDF services that fetch external resources
  • Image processing: Avatar upload via URL, thumbnail generators
  • API proxies or aggregators: Features that fetch data from third-party APIs

Common exploitation

  • Access internal services: http://localhost:8080/admin
  • Read cloud metadata: http://169.254.169.254/latest/meta-data/iam/security-credentials/
  • Port scan internal network: Try various internal IPs/ports
  • Bypass IP whitelists (app's server IP is trusted)
  • Access file:// URIs: file:///etc/passwd (if not filtered)
  • Exploit internal services (Redis, Memcached) with crafted payloads

Summary Table: Where Each Vuln Lives

Vulnerability Primary Locations
Broken Access Control URLs, API endpoints, session tokens, hidden fields, direct file references
Cryptographic Failures HTTP traffic, cookies, JS source, config files, error messages, DB backups
Injection Forms, URL params, search boxes, HTTP headers, JSON/XML bodies, file uploads
Insecure Design Business logic flows, checkout/payment, password reset, race-prone workflows
Security Misconfiguration Default creds, directory listing, error pages, missing headers, exposed admin panels, cloud storage
Vulnerable Components Response headers, JS libraries, stack traces, dependency files, outdated frameworks
Auth Failures Login/registration, session cookies, password reset, MFA flows, "remember me"
Integrity Failures Serialized data (cookies/params), CI/CD pipelines, update mechanisms, third-party CDNs
Logging/Monitoring Failures Absence in logs, no SIEM, no alerting, log tampering, no audit trail
SSRF URL parameters, webhooks, import/export, PDF generators, image fetchers, API proxies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment