The OWASP Top 10

The Open Web Application Security Project (OWASP) publishes the Top 10 — a regularly updated list of the most critical web application security risks. The 2021 edition is the current standard and is referenced by security regulations worldwide.

As a QA engineer, knowing the OWASP Top 10 lets you systematically test for the most common and dangerous vulnerabilities. You do not need to be a security expert — you need to know what to look for and how to test for it.

A01:2021 — Broken Access Control

What it is: Users can act outside their intended permissions — viewing other users’ data, modifying records, escalating to admin, or accessing restricted endpoints.

Why it is #1: 94% of applications tested had some form of broken access control. It moved from #5 in 2017 to #1 in 2021.

How to test:

  • Change user IDs in URLs (/api/users/123 to /api/users/124)
  • Try accessing admin endpoints as a regular user (/admin/dashboard)
  • After logging out, try accessing protected pages with the old session token
  • Try modifying another user’s data through API PUT/PATCH requests
  • Test horizontal access: Can User A see User B’s orders?

Example test case: Log in as User A. Note their order ID (e.g., 5001). Log in as User B. Try to access /api/orders/5001. If User B sees User A’s order, the test fails.

A02:2021 — Cryptographic Failures

What it is: Sensitive data is not properly protected — transmitted in cleartext, stored unencrypted, or using weak algorithms.

How to test:

  • Check if the site uses HTTPS everywhere (no mixed content)
  • Look for sensitive data in URLs or query parameters
  • Verify password storage uses strong hashing (bcrypt, Argon2), not MD5/SHA-1
  • Check if API responses include sensitive data unnecessarily
  • Verify cookies have Secure and HttpOnly flags

A03:2021 — Injection

What it is: Untrusted data is sent to an interpreter as part of a command or query. SQL injection is the most common, but there is also NoSQL, OS command, LDAP, and XPath injection.

How to test:

  • Enter ' OR 1=1 -- in login fields
  • Try '; DROP TABLE users; -- in search fields
  • Enter <script>alert('XSS')</script> in text inputs
  • Try ; ls -la in fields that might interact with the OS
  • Test API parameters with special characters

Key principle: Test every input field, URL parameter, header, and cookie value with injection payloads.

A04:2021 — Insecure Design

What it is: Flaws in the design itself, not implementation bugs. Missing threat modeling, insecure business logic, lack of security requirements.

How to test:

  • Can a coupon code be used multiple times?
  • Can you purchase items at the wrong price by manipulating the request?
  • Is there a rate limit on password reset emails?
  • Can bots automate the signup process?
  • Are there business logic checks (e.g., can you transfer more money than your balance)?

A05:2021 — Security Misconfiguration

What it is: Missing security hardening, unnecessary features enabled, default accounts, overly informative error messages.

How to test:

  • Check for default credentials (admin/admin, admin/password)
  • Look for unnecessary HTTP methods (PUT, DELETE on public endpoints)
  • Check if directory listing is enabled
  • Look for exposed management interfaces (/phpmyadmin, /admin, /console)
  • Check server headers for version disclosure (Server: Apache/2.4.52)
  • Verify stack traces are not shown to users

A06:2021 — Vulnerable and Outdated Components

What it is: Using libraries, frameworks, or components with known vulnerabilities.

How to test:

  • Run npm audit or pip check on the project
  • Use tools like Snyk, Dependabot, or OWASP Dependency-Check
  • Check if JavaScript libraries loaded from CDN are the latest patched version
  • Look for end-of-life frameworks or languages

A07:2021 — Identification and Authentication Failures

What it is: Weaknesses in authentication mechanisms — weak passwords allowed, missing brute force protection, session management flaws.

How to test:

  • Try passwords like “password123”, “123456” — are they accepted?
  • Attempt 50+ login failures rapidly — is the account locked?
  • After login, check if the session ID changes (session fixation prevention)
  • Test “Remember Me” — does it work securely?
  • Check if password reset tokens expire

A08:2021 — Software and Data Integrity Failures

What it is: Code and infrastructure that does not protect against integrity violations — insecure CI/CD pipelines, auto-updates without verification, deserialization attacks.

How to test:

  • Check if the application verifies integrity of downloaded updates
  • Look for insecure deserialization in API endpoints
  • Verify CI/CD pipeline requires code reviews
  • Check if third-party dependencies are verified with checksums

A09:2021 — Security Logging and Monitoring Failures

What it is: Insufficient logging of security events makes it impossible to detect attacks.

How to test:

  • Trigger a failed login — is it logged?
  • Make an unauthorized access attempt — is it logged with user details?
  • Are logs tamper-proof (stored externally)?
  • Is there alerting on suspicious patterns (10+ failed logins)?

A10:2021 — Server-Side Request Forgery (SSRF)

What it is: The attacker tricks the server into making requests to unintended internal or external resources.

How to test:

  • In any URL input field, try internal addresses (http://localhost, http://169.254.169.254)
  • Test with internal network IPs (http://192.168.1.1)
  • Check if the application fetches user-supplied URLs (webhook URLs, avatar URLs, import URLs)

Exercise: Test for 5 OWASP Vulnerabilities

Using a deliberately vulnerable application (OWASP Juice Shop, DVWA, or WebGoat), test for 5 different OWASP Top 10 risks.

Setup

Install OWASP Juice Shop:

docker run --rm -p 3000:3000 bkimminich/juice-shop

Access at http://localhost:3000

Task

Find and document at least one vulnerability for each of these 5 categories:

  1. A01: Broken Access Control
  2. A03: Injection
  3. A05: Security Misconfiguration
  4. A07: Authentication Failures
  5. Any other OWASP Top 10 risk

For each vulnerability, document: the risk category, steps to reproduce, impact, and recommended fix.

Hint: Where to Look in Juice Shop
  • A01: Try to access the admin section, look at product reviews by other users
  • A03: The search bar is a good target for injection
  • A05: Check the application’s response headers and error messages
  • A07: Try to create an account with a very weak password
  • Look at API calls: Open browser DevTools Network tab and observe the API requests
Solution: 5 Vulnerabilities Found

1. A01: Broken Access Control — Accessing Other Users’ Baskets

  • Steps: Log in as any user. Note your basket ID in /api/BasketItems. Change the basket ID in the API call to access another user’s basket.
  • Impact: Any authenticated user can view and modify other users’ shopping baskets.
  • Fix: Server must verify that the requested basket belongs to the authenticated user.

2. A03: Injection — SQL Injection in Search

  • Steps: Enter ' OR 1=1-- in the search bar.
  • Impact: Returns all products including hidden ones. In a real app, this could expose the entire database.
  • Fix: Use parameterized queries. Never concatenate user input into SQL.

3. A05: Security Misconfiguration — Verbose Error Messages

  • Steps: Send an invalid API request (e.g., malformed JSON to /api/Users).
  • Impact: The response includes stack traces and framework details (Express, Sequelize), revealing the technology stack.
  • Fix: Return generic error messages to users. Log detailed errors server-side only.

4. A07: Authentication Failures — No Password Strength Requirements

  • Steps: Register with password “1”. The application accepts it.
  • Impact: Users can set extremely weak passwords that are easily guessable.
  • Fix: Enforce minimum password complexity (8+ chars, mixed case, numbers).

5. A02: Cryptographic Failures — Sensitive Data in Feedback API

  • Steps: View /api/Feedbacks. User email addresses are included in the response for all feedback entries.
  • Impact: Exposes PII (email addresses) of all users who submitted feedback.
  • Fix: Remove email addresses from the public feedback API response.

Pro Tips

  • Use OWASP Juice Shop for Practice: Juice Shop is a deliberately vulnerable application with 100+ challenges covering all OWASP risks. It is the best hands-on training tool for security testing.
  • Map Tests to OWASP: When creating your security test plan, organize test cases by OWASP category. This ensures systematic coverage of all major risk areas.
  • OWASP Testing Guide: The OWASP Web Security Testing Guide (WSTG) provides detailed testing procedures for each risk. It is your reference manual for security testing.
  • Focus on A01 and A03 First: Broken Access Control and Injection are the most common and most dangerous. If you only have time for two categories, test these thoroughly.
  • Automate What You Can: DAST tools like OWASP ZAP can automatically scan for many injection and misconfiguration issues. Integrate them into CI/CD and focus your manual testing on access control and business logic.