Nerd Level Tech logo
|
Lesson 6 of 24

Security Fundamentals & OWASP

OWASP Top 10 2025: A01-A05

5 min read

The OWASP Top 10 2025 reflects the current threat landscape with significant changes including a new focus on supply chain security. Let's examine the top 5 vulnerabilities you'll be tested on.

A01:2025 - Broken Access Control

Rank: #1 (most critical)

The most prevalent vulnerability in web applications. Occurs when users can act outside their intended permissions.

Common Patterns

Pattern Description Example
IDOR Insecure Direct Object Reference /api/user/123 accessible without authorization
Privilege Escalation User gains admin functions Changing role in hidden form field
Path Traversal Accessing restricted files ../../etc/passwd
Missing Function Level Access Control Admin endpoints exposed /admin/deleteUser no auth check

Interview Code Review

# Vulnerable code - Find the issues
@app.route('/api/documents/<doc_id>')
def get_document(doc_id):
    document = Document.query.get(doc_id)  # Issue 1: No AuthZ check
    return jsonify(document.to_dict())

# Secure version
@app.route('/api/documents/<doc_id>')
@login_required
def get_document(doc_id):
    document = Document.query.get_or_404(doc_id)
    if document.owner_id != current_user.id:  # AuthZ check
        abort(403)
    return jsonify(document.to_dict())

A02:2025 - Security Misconfiguration

Rank: #2 (moved up from #5 in 2021)

Misconfigurations are now more prevalent than ever due to cloud complexity.

Common Misconfigurations

  • Default credentials left unchanged
  • Unnecessary features enabled
  • Error messages revealing stack traces
  • Missing security headers
  • S3 buckets set to public
  • Overly permissive CORS policies

Interview Scenario

Question: "Review this response. What security headers are missing?"

HTTP/1.1 200 OK
Content-Type: text/html
Server: Apache/2.4.41

<html>...

Answer: Missing critical headers:

  • Strict-Transport-Security (HSTS)
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • Content-Security-Policy
  • X-XSS-Protection (legacy but expected)

A03:2025 - Software Supply Chain Failures

Rank: #3 (NEW - expanded from Vulnerable Components)

A major 2025 addition reflecting attacks like SolarWinds and Log4Shell.

Attack Vectors

Vector Description Example
Dependency Confusion Internal package names hijacked Malicious npm package with internal name
Typosquatting Similar package names lodash vs 1odash
Compromised Maintainers Legitimate package updated maliciously Event-stream incident
Build Pipeline Attacks CI/CD system compromised Codecov breach

Defenses

# Example: Lock dependencies and verify integrity
# package-lock.json (npm) or requirements.txt with hashes
dependencies:
  lodash:
    version: "4.17.21"
    integrity: "sha512-v2kDE..."  # Verify hash

Tools: Snyk, Dependabot, OWASP Dependency-Check, npm audit

A04:2025 - Cryptographic Failures

Rank: #4 (was #2 in 2021)

Failures in cryptography that lead to sensitive data exposure.

Common Failures

Failure Impact Fix
Weak algorithms MD5, SHA1 for passwords Use bcrypt, Argon2
Hardcoded secrets Keys in source code Use secrets manager
Missing encryption Data transmitted in cleartext TLS 1.3 everywhere
Improper key management Keys stored with data HSM, separate key storage

Interview Question

Q: "How would you securely store user passwords?"

Strong Answer:

import bcrypt

def hash_password(password: str) -> bytes:
    # Generate salt and hash in one step
    # bcrypt automatically handles salt storage
    salt = bcrypt.gensalt(rounds=12)  # Cost factor 12
    return bcrypt.hashpw(password.encode(), salt)

def verify_password(password: str, hashed: bytes) -> bool:
    return bcrypt.checkpw(password.encode(), hashed)

Key Points:

  • Never use MD5/SHA1 for passwords
  • Use adaptive algorithms (bcrypt, Argon2, scrypt)
  • Cost factor should take ~100ms to compute

A05:2025 - Injection

Rank: #5 (was #3 in 2021)

Untrusted data sent to an interpreter as part of a command or query.

Injection Types

Type Target Example
SQL Injection Database ' OR '1'='1
Command Injection OS shell ; rm -rf /
LDAP Injection Directory services `)(uid=))(
XSS Browser <script>alert(1)</script>

Defense: Parameterized Queries

# VULNERABLE - String concatenation
query = f"SELECT * FROM users WHERE id = {user_id}"

# SECURE - Parameterized query
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))

Interview Reality: You WILL be asked to identify injection vulnerabilities in code. Practice recognizing patterns where user input flows into dangerous sinks.

Next, we'll cover A06-A10 and the OWASP LLM Top 10 for AI security roles. :::

Quiz

Module 2: Security Fundamentals & OWASP

Take Quiz