Web Application & Database Security Engineering – Chapter 1: OWASP Top 10:2025

[Virtual Presenter] The instructor has provided a comprehensive list of the top 10 security risks identified by OWASP, which includes SQL injection, cross-site scripting (XSS), and insecure direct object reference (IDOR). These are some of the most common vulnerabilities that can be exploited by attackers to gain unauthorized access to sensitive data. The instructor emphasizes that these risks are not just theoretical but real-world threats that can have serious consequences if left unaddressed. The instructor explains that each risk has its own set of characteristics and mitigation strategies, and that understanding these risks is essential for designing and developing secure web applications and databases. The instructor then moves on to explain how to implement secure coding practices, such as input validation and error handling, to prevent attacks like SQL injection and XSS. The instructor also discusses the importance of authentication and authorization mechanisms, such as session management and role-based access control, to ensure that users can only access authorized resources. Encryption is another critical aspect of web application security, and the instructor provides guidance on implementing encryption protocols, such as HTTPS and SSL/TLS. Throughout the course, the instructor covers various topics related to web application security, including secure coding practices, authentication and authorization, encryption, and more. The instructor also shares examples of successful web applications and databases that have implemented these security measures, demonstrating the effectiveness of these measures in preventing attacks. By the end of the course, students will have gained a solid understanding of the principles and concepts necessary to build secure web applications and databases..

[Audio] The learning objectives for this chapter are to explain the purpose and methodology of OWASP and the Top 10 framework. The objective is to define and differentiate the ten vulnerability categories in the 2025 edition. This objective also includes interpreting the two new categories introduced in 2025 and the rationale behind them. Furthermore, it is essential to apply core secure coding principles to identify flaws in sample code. Additionally, distinguishing between key security concepts such as vulnerability, threat, risk, and exploit is crucial. These objectives provide a solid foundation for understanding web application and database security engineering..

[Audio] OWASP is an organization that provides free and open security knowledge to everyone. Its mission is to promote web application security through various publications, including the OWASP Top 10, which lists the most critical web application risks. OWASP also provides other resources such as the Application Security Verification Standard, the Web Security Testing Guide, and cheat sheets. These resources are designed to help developers and organizations improve their web application security. OWASP has created vulnerable applications like WebGoat and Juice Shop for educational purposes. The organization's approach is vendor-neutral, meaning it does not favor any particular technology or company. Instead, it focuses on providing widely applicable security guidance. By making its tools and documents openly available, OWASP aims to encourage collaboration and innovation in the field of web application security..

[Audio] The OWASP Top 10 is a list of the most significant security risks facing software applications today. It is compiled through a comprehensive process that involves analyzing over 175000 CVE records from real-world applications worldwide. This is followed by an expert survey of thousands of practicing security professionals globally. The vulnerabilities are then linked to MITRE CWE identifiers for consistency. Each category is scored based on its exploitability, prevalence, and impact using a composite scoring method. This ensures that the top 10 most critical vulnerabilities are identified and prioritized for mitigation efforts. By combining these steps, the OWASP Top 10 is a widely accepted and authoritative resource for identifying and addressing software security risks..

[Audio] The following definitions will help us understand key security concepts. When discussing web application and database security, it is important to have a grasp on these fundamental terms. A vulnerability is a weakness in design, implementation, or configuration that can be taken advantage of. This includes vulnerabilities like SQL injection and cross-site scripting. A threat is any event or actor that could potentially cause harm. This can range from intentional attacks to accidental or environmental factors. However, a threat without a corresponding vulnerability is not actually harmful. In other words, without a weakness to exploit, there is no risk. It is crucial to conduct risk assessments in these situations. The risk assessment is determined by multiplying the likelihood of a threat exploiting a vulnerability by the potential impact on the organization. Finally, an exploit is a concrete technique or script that turns a hypothetical vulnerability into a real-world attack. By making it easier for attackers to launch successful attacks, exploits reduce the skill requirements for the attacker to almost nothing..

[Audio] The OWASP Top 10:2025 is a comprehensive overview of the most critical security risks that developers and professionals need to be aware of when working with web applications and databases. It provides a wide range of security vulnerabilities and risks that are commonly found in modern web applications. The top ten security risks include broken access control, security misconfiguration, software supply chain failures, cryptographic failures, injection, insecure design, authentication failures, software/data integrity failures, security logging and alerting, and mishandling exceptional conditions. These risks have been identified as having a significant impact on the security of web applications and databases. The OWASP Top 10:2025 is widely used by developers and professionals to identify and mitigate these risks. It is essential to regularly update and enhance one's knowledge on this topic through training and certification to ensure the safety and security of systems and data..

[Audio] The speaker explains that the OWASP Top 10 list ranks vulnerabilities based on their incidence rate. The speaker then presents a table showing the top 10 vulnerabilities ranked from highest to lowest incidence rate. The table shows the average percentage of occurrence for each vulnerability category. The speaker notes that the top three most common vulnerabilities are injection, integrity, and authentication-related issues. The speaker also highlights the importance of understanding the ranking of these vulnerabilities to prioritize remediation efforts..

[Audio] The Broken Access Control vulnerability occurs when authenticated users can access data or perform actions outside their authorized scope. This happens when privilege boundaries are collapsed due to inadequate enforcement mechanisms. One common mechanism exploited by attackers is Identity Manipulation (IDOR), where they change the sequential order of IDs in URLs to gain unauthorized access to sensitive information. To prevent this, it is essential to adopt a deny-by-default approach, denying access unless explicitly granted at the data layer. Additionally, verifying object ownership on every request, including those handled by the user interface, is crucial to maintaining proper access controls. By implementing these measures, organizations can significantly reduce the risk of this vulnerability..

[Audio] The security misconfiguration vulnerability allows attackers to exploit weaknesses in an organization's system configuration, resulting in potential data breaches and other security incidents. This type of vulnerability can be exploited through various means, including network scanning, exploiting default settings, and using cloud services with weak policies. Insecure or incomplete configurations can lead to issues such as exposing sensitive data, allowing unauthorized access, and creating opportunities for malware infections. A notable example of this type of vulnerability was the Capital One breach, which occurred due to a misconfigured web application firewall (WAF). The WAF allowed an attacker to perform a server-side request forgery (SSRF) attack, resulting in the exposure of sensitive customer information. To prevent this type of vulnerability, organizations should maintain a hardened baseline using CIS Benchmarks for every platform component. This includes ensuring that all default settings are changed, unnecessary services are disabled, and cloud policies are set to strict standards. Additionally, organizations should ensure that security headers are present and error messages are not exposed externally. By taking these steps, organizations can significantly reduce the risk of security incidents and protect their customers' sensitive information..

[Audio] The software supply chain failures refer to vulnerabilities that arise from third-party dependencies used in software applications. These vulnerabilities can be difficult to detect and address because they often involve complex relationships between different components. The Log4Shell vulnerability is an example of a critical Remote Code Execution (RCE) vulnerability in Apache Log4j that affected millions of enterprise apps due to their reliance on this transitive dependency. To prevent such failures, organizations can generate and maintain a Software Bill of Materials (SBOM). Organizations can also integrate tools like OWASP Dependency-Check, Snyk, or GitHub Dependabot into their Continuous Integration and Continuous Deployment (CI/CD) pipelines. Additionally, organizations can enforce fail builds above a certain CVSS threshold. This approach enables proactive identification and mitigation of software supply chain risks..

[Audio] The organization has been experiencing a series of security incidents involving encrypted data being transmitted over insecure channels. This has resulted in unauthorized access to sensitive information. The company has taken steps to address this issue but still faces challenges in securing its web application and database. The main challenge lies in identifying and mitigating the root cause of the problem. The organization uses Transport Layer Security (TLS) 1.1, which is considered outdated and vulnerable to attacks. Upgrading to TLS 1.2 or later would greatly improve the security of the system. However, implementing HSTS would require additional configuration and testing. The organization relies heavily on passwords for authentication purposes. Weak password hashing methods are used, making them susceptible to cracking. Implementing stronger password hashing methods like Argon2id, bcrypt, or scrypt would enhance the security of the system. Hardcoded credentials are also present in the codebase, which poses a significant risk to the system. Avoiding the hardcoding of sensitive information such as encryption keys by utilizing tools like HashiCorp Vault or AWS Secrets Manager can mitigate this risk. The organization needs to identify and address the root cause of the security incidents. This involves assessing the current security posture and implementing measures to strengthen it. A thorough analysis of the system's architecture and dependencies is necessary to determine the most effective solutions. The organization should prioritize the implementation of HSTS and the upgrade to TLS 1.2 or later. This would provide a significant improvement in the security of the system. Additionally, implementing stronger password hashing methods and avoiding the hardcoding of sensitive information would further enhance the security posture. By prioritizing the identification and mitigation of the root cause of the security incidents, the organization can significantly improve its overall security posture. This requires a comprehensive approach that addresses all identified vulnerabilities and weaknesses..

[Audio] The three main types of injection attacks are SQL Injection, OS Command Injection, and LDAP Injection. These types of attacks can occur when an attacker injects malicious code into our applications, potentially leading to significant security risks. SQL Injection occurs when an attacker injects malicious SQL code into a relational database, allowing them to execute arbitrary commands. This can happen with databases like MySQL, PostgreSQL, and Oracle. On the other hand, OS Command Injection allows an attacker to execute system-level commands using stored procedures. This type of attack can also lead to complete system compromise if not properly secured. LDAP Injection occurs when an attacker injects malicious code into directory services such as Active Directory, potentially bypassing authentication mechanisms. Furthermore, Template Engine Injection, often referred to as Server-Side Template Injection, can allow attackers to execute arbitrary code on the server-side, potentially leading to full remote code execution. It is essential to understand these types of injection attacks to ensure the security of our applications and systems..

[Audio] The use of parameterized queries has several advantages over traditional SQL queries. Firstly, parameterized queries allow users to pass variables to the database server, which makes it easier to write complex queries. Secondly, parameterized queries provide better protection against SQL injection attacks by separating the structure and data of the query. Thirdly, parameterized queries make it easier to handle large amounts of data, as they enable the use of prepared statements. Prepared statements allow the database server to optimize the query plan, resulting in faster execution times. Fourthly, parameterized queries reduce the risk of errors caused by incorrect syntax or formatting. Finally, parameterized queries improve the readability of SQL code, making it easier for developers to maintain and modify existing applications..

[Audio] In order to prevent attacks like SQL injection and cross-site scripting (XSS), developers should focus on designing secure systems from the ground up. This includes using secure coding practices, such as encryption and secure data storage, and implementing security measures like access controls and authentication protocols. Developers must also ensure that their systems are regularly updated and patched to stay current with emerging threats. Furthermore, developers should prioritize testing and validation to identify vulnerabilities and weaknesses in their designs. Regularly reviewing and updating the design of their systems will help them stay ahead of potential threats..

[Audio] The attackers use various methods to obtain sensitive information from users. One method is to trick users into revealing their login credentials through phishing emails or fake websites. Another method is to exploit weaknesses in software or hardware that allow attackers to bypass security measures. Attackers also use social engineering tactics to manipulate users into divulging sensitive information. For example, a scammer might call a victim and claim to be from a reputable company, asking for personal details. In addition, attackers may use malware to infect computers with malicious code that steals sensitive data. Malware can spread rapidly through networks, making it difficult to contain. Once infected, malware can steal sensitive information, such as credit card numbers, passwords, and other confidential data..

[Audio] In order to prevent software and data integrity failures, it is essential to understand the importance of verifying external code, data, or configuration artifacts before processing them. Without proper verification, systems can be vulnerable to various security threats, including insecure deserialization, unsigned software updates, and tampered CI/CD pipelines. These types of issues can lead to serious problems, such as arbitrary code execution or data corruption. For example, using `pickle.loads()` to execute arbitrary code poses a significant risk, whereas using `json.loads()` to parse data only provides a much safer alternative. Developers must take proactive measures to protect their systems from these types of attacks by implementing secure coding practices and verifying external inputs thoroughly..

[Audio] Logging without alerting is essentially useless when it comes to security. A system must log events in order to monitor its activity. However, this is insufficient on its own as it does not allow for any immediate response to potential threats. The lack of an alerting mechanism means that even if a threat is detected, there is no way to take swift action to mitigate it. In other words, logging alone is not enough; it needs to be accompanied by some form of alerting mechanism so that the system can respond appropriately. Without such a mechanism, the entire process becomes redundant and ineffective. Organizations should therefore prioritize implementing both logging and alerting mechanisms to ensure their systems remain secure..

[Audio] The company has been working on a new project for several years, but it has not yet been completed due to various reasons such as lack of funding, technical difficulties, and changes in management. The team has been trying to complete the project, but they have encountered numerous obstacles that hinder their progress. Despite these challenges, the team remains committed to completing the project and is actively seeking solutions to overcome the hurdles..

[Audio] OWASP has undergone significant changes since its inception in 2001. The organization's focus on providing free security knowledge to all has led to the development of various publications, including the OWASP Top 10. This document outlines the most critical web application risks and provides guidance on how to mitigate them. The OWASP Top 10 serves as an industry authority, offering vendor-neutral recommendations for improving web application security. In addition to the Top 10, other notable publications include the Application Security Verification Standard (ASVS) and the Web Security Testing Guide (WSTG). These resources provide developers with essential information on securing their applications. Furthermore, OWASP offers educational tools such as WebGoat and the Juice Shop, which offer vulnerable applications for testing purposes. By utilizing these resources, developers can enhance their skills and create more secure applications..

[Audio] The principle of least privilege is a fundamental concept in computer security. It states that users, processes, and components should have the minimum amount of access necessary to perform their functions. This approach helps prevent unauthorized access and reduces the risk of security breaches. The principle is often implemented through the use of role-based access control (RBAC) systems, where users are assigned specific roles that determine their level of access. By limiting privileges to only what is necessary, organizations can minimize the attack surface and reduce the likelihood of successful attacks. Limiting privileges also makes it easier to manage and monitor user activity, as well as detect and respond to potential security threats..

[Audio] ## Step 1: Understand the importance of validating user input Never trust user input. All externally supplied data is treated as potentially hostile until it's explicitly validated against expected types, formats, and ranges. ## Step 2: Define allowlisting vs denylisting Allowlisting is when you define what is acceptable and reject anything else. Denylisting is weaker and should not be the primary control. ## Step 3: Apply the economy of mechanism principle The economy of mechanism principle states that security implementations should be as simple as possible. Complex systems are more likely to have bugs and obscure vulnerabilities. ## Step 4: Use established security libraries When implementing security, use well-maintained security libraries like Spring Security or OWASP ESAPI instead of custom implementation. Custom cryptography is usually incorrect. The final answer is:.

[Audio] The speaker explains the key terms used in web application and database security engineering. Authentication is defined as the process of verifying a user's identity. This process must be established before authorization can occur. Authorization determines what actions a confirmed user can perform. Roles, permissions, and access control policies are crucial in this process. Encryption, hashing, static application security testing, and dynamic application security testing are also discussed. Clear definitions are provided for each term to ensure the audience understands their significance in securing web applications and databases. These explanations aim to provide a solid foundation in understanding the fundamental concepts of web application and database security engineering..

[Audio] The attacker has obtained authentication as an authorized user with id 5001. They have also obtained the id 5002, which appears to be unauthorized. This id can be accessed by the attacker using the id 5001, allowing them to access sensitive information or perform actions that would normally require elevated privileges. The lack of ownership check on the server prevents the attacker from being detected. Without proper ownership checks, the attacker can use the id 5002 to access resources that they would not normally have access to. This is a classic example of an IDOR (Identity-Based Access Control) attack, where the attacker uses their legitimate credentials to gain access to unauthorized areas or resources. By exploiting the absence of ownership checks, the attacker can bypass normal access controls and achieve their goals. The attacker's ability to obtain both ids 5001 and 5002 demonstrates a significant vulnerability in the system's security..

[Audio] The lab uses OWASP WebGoat 2024.x as the environment and can be executed offline. The necessary tools are Java JDK 11 and a modern browser, and Burp Suite Community Edition may also be used. The lab is expected to take 60 to 90 minutes and is suitable for beginners. To set up, one must install Java JDK 11, download WebGoat from GitHub releases, and run it on localhost:8080 while limiting access to prevent network exposure. The lab concentrates on two vulnerabilities: Broken Access Control through Identity-Based On-Demand Rules (IDOR) and SQL Injection with Authentication Bypass. Participants will learn how to exploit these vulnerabilities by manipulating their own profiles and changing the ID parameter in the URL to gain access to unauthorized records. They will also experiment with various payloads for SQL injection, such as 'admin''--,'OR '1'='1', and'OR 1=1--'. By analyzing the queries retrieved from the database and writing corrected parameterized versions, students will gain practical experience in identifying and mitigating these types of vulnerabilities..

[Audio] OWASP is a non-profit organization founded in 2001 with the goal of providing free security knowledge to everyone. The organization has published several notable publications, including the OWASP Top 10, which provides a list of the most critical web application risks. The OWASP Top 10:2025 was derived from over 175000 unique CVE records and confirmed in January 2026. This edition supersedes the previous one and includes two new categories: A03 Software Supply Chain Failures and A10 Mishandling of Exceptional Conditions. The top three vulnerabilities have changed since the last edition, with Broken Access Control (A01) now encompassing both SSRF and CSRF. Security Misconfiguration has risen to second place, and the introduction of six core secure coding principles. The OWASP Top 10:2025 provides a comprehensive framework for identifying and mitigating web application security risks. It offers guidance on how to implement secure coding practices and protect against common web application attacks. The publication is widely recognized as a leading authority on web application security and is used by organizations around the world. The OWASP Top 10:2025 is an essential resource for anyone looking to improve the security of their web applications. It provides actionable advice and best practices for securing web applications and protecting against emerging threats. The publication is regularly updated to reflect changes in the threat landscape and emerging technologies. It is an invaluable resource for developers, security professionals, and anyone involved in the development and maintenance of web applications..