Skip to main content

Overview

The OWASP Top 10 is a standard awareness document representing a broad consensus about the most critical security risks to web applications. This project demonstrates several vulnerabilities from the OWASP Top 10 2021 list.

Vulnerabilities Demonstrated

5 OWASP categories covered with practical examples

Security Fixes Shown

Complete mitigation strategies for each vulnerability

OWASP Top 10 2021 Mapping

A01:2021 - Broken Access Control

Vulnerabilities Demonstrated:
  • Insecure Direct Object Reference (IDOR) - vulnerable/app.py:95-110
    • Users can access other users’ profiles by manipulating the id parameter
    • No authorization checks before displaying sensitive data
  • Missing Function Level Access Control
    • Insufficient role-based access controls
    • Weak session validation
Security Impact:
  • Unauthorized information disclosure
  • Access to other users’ personal data
  • Potential privilege escalation
Mitigation Applied:
  • Authorization checks in secure/app.py:146-158
  • User can only view their own profile unless admin role
  • Proper session validation on all protected routes
Severity: Critical
CVSS Score: 8.2
Affected Code: Profile view endpoint

A02:2021 - Cryptographic Failures

Vulnerabilities Demonstrated:
  • Plaintext Password Storage - vulnerable/app.py:26
    • Passwords stored in database without any encryption
    • Direct string comparison in SQL queries
    • Credentials visible in database dumps
  • Sensitive Data Exposure
    • Password field returned in user queries
    • SQL errors expose database structure
    • Session secrets hardcoded in source
Security Impact:
  • Complete compromise if database is breached
  • User credentials stolen and reused on other sites
  • Compliance violations (GDPR, PCI-DSS)
Mitigation Applied:
  • Werkzeug password hashing (bcrypt) in secure/app.py:104
  • Environment-based secret key management
  • Password field excluded from SELECT queries
  • Secure session configuration
Severity: Critical
CVSS Score: 9.1
Affected Code: Login and registration functions

A03:2021 - Injection

Vulnerabilities Demonstrated:
  • SQL Injection - vulnerable/app.py:26
    • User input directly concatenated into SQL queries
    • No input validation or sanitization
    • Authentication bypass via SQL manipulation
Attack Vectors Shown:
-- Authentication Bypass
admin' OR '1'='1

-- Comment Injection
admin'-- 

-- Union-based Injection
' OR 1=1 --
Security Impact:
  • Complete authentication bypass
  • Unauthorized data access
  • Potential data modification or deletion
  • Database structure disclosure
Mitigation Applied:
  • Parameterized queries (prepared statements) in secure/app.py:55-56
  • Input validation and length limits
  • Proper error handling without information disclosure
Severity: Critical
CVSS Score: 9.8
Affected Code: Login, profile, and registration endpoints

A04:2021 - Insecure Design

Vulnerabilities Demonstrated:
  • Security Misconfiguration
    • Debug mode enabled in production
    • Hardcoded secret keys
    • Missing security headers
  • Lack of Security Architecture
    • No input validation framework
    • Missing rate limiting
    • No logging or monitoring
Security Impact:
  • Information disclosure through debug errors
  • Session hijacking via predictable keys
  • Missing defense-in-depth layers
Mitigation Applied:
  • Security headers middleware in secure/app.py:19-26
  • Environment-based configuration
  • CSRF protection with Flask-WTF
  • Proper error handling
Severity: Medium
CVSS Score: 6.5
Affected Code: Application configuration

A07:2021 - Identification and Authentication Failures

Vulnerabilities Demonstrated:
  • Insecure Session Management
    • Weak session configuration
    • No session timeout
    • Session tokens not rotated
  • Weak Authentication
    • No password complexity requirements
    • No account lockout mechanism
    • Predictable session identifiers
Security Impact:
  • Session hijacking
  • Credential stuffing attacks
  • Brute force attacks
Mitigation Applied:
  • Secure session configuration in secure/app.py:67
  • Password length validation
  • Proper session cleanup on logout
  • Input sanitization and trimming
Severity: High
CVSS Score: 7.5
Affected Code: Session and authentication logic

A03:2021 - Cross-Site Scripting (XSS)

Vulnerabilities Demonstrated:
  • Reflected XSS - vulnerable/app.py:82-86
    • User input from URL parameters rendered without sanitization
    • JavaScript code executed in victim’s browser
    • No Content Security Policy
Attack Vectors Shown:
<!-- Alert Box -->
<script>alert('XSS')</script>

<!-- Cookie Theft -->
<script>alert(document.cookie)</script>

<!-- DOM Manipulation -->
<script>document.body.innerHTML='HACKED'</script>

<!-- Event Handler -->
<img src=x onerror="alert('XSS')">
Security Impact:
  • Session token theft
  • Phishing attacks
  • Keylogging
  • Website defacement
Mitigation Applied:
  • Output escaping with MarkupSafe in secure/app.py:136
  • Content Security Policy headers
  • Input validation and sanitization
  • Auto-escaping in Jinja2 templates
Severity: High
CVSS Score: 7.5
Affected Code: Dashboard message display

Not Covered in This Project

The following OWASP Top 10 2021 categories are not demonstrated in this educational project:

A05:2021

Security Misconfiguration - Partially covered through examples but not comprehensively demonstrated

A06:2021

Vulnerable and Outdated Components - Not applicable to this minimal demo

A08:2021

Software and Data Integrity Failures - Outside scope of authentication demo

A09:2021

Security Logging and Monitoring Failures - Not implemented in basic demo

A10:2021

Server-Side Request Forgery (SSRF) - Not applicable to current functionality

Risk Severity Summary

OWASP CategoryProject CoverageSeverityMitigation Status
A01 - Broken Access ControlIDOR, Missing AuthorizationCritical✅ Fixed
A02 - Cryptographic FailuresPlaintext PasswordsCritical✅ Fixed
A03 - InjectionSQL InjectionCritical✅ Fixed
A03 - XSSReflected XSSHigh✅ Fixed
A04 - Insecure DesignSecurity MisconfigurationMedium✅ Fixed
A07 - Auth FailuresInsecure SessionsHigh✅ Fixed

Learning Objectives

Understanding Real-World Risks

See how OWASP Top 10 vulnerabilities manifest in actual code and how attackers exploit them

Implementing Security Controls

Learn practical mitigation techniques that address OWASP recommendations

Secure Development Practices

Adopt security-first coding patterns that prevent common vulnerabilities

External Resources

This project is designed for educational purposes only. Always test security controls in authorized environments.

Build docs developers (and LLMs) love

Get started for freeTalk to us