Prepared Statements (Parameterized Queries) are OWASP's primary defense against SQL injection (OWASP Top 10:2025 A03). Parameterized queries force the database to distinguish between code and data, ensuring attackers cannot change query intent. Implementation: Use placeholders for user input instead of string concatenation. Example: SELECT * FROM users WHERE id = ? with parameter binding, NOT 'SELECT * FROM users WHERE id = ' + userInput. Works across all major databases (PostgreSQL $1, MySQL ?, SQL Server @param). Benefits: Complete protection when properly implemented, automatic handling of special characters, no escaping needed. Framework support: All modern ORMs (TypeORM, Sequelize, Prisma) use parameterized queries by default. Defense-in-depth: Combine with principle of least privilege (minimize database permissions), input validation (allowlist for format), and automated security testing (SAST/DAST in CI/CD). OWASP A03:2021-2025 Injection remains critical threat.
Web Security OWASP FAQ & Answers
30 expert Web Security OWASP answers researched from official documentation. Every answer cites authoritative sources you can verify.
unknown
30 questionsUse built-in framework session management (never build custom). Session ID: minimum 128 bits entropy, cryptographically secure random generation (crypto.randomBytes, secrets module, SecureRandom). Most secure cookie configuration (OWASP 2025): Set-Cookie: __Host-SID=
XML External Entity (XXE): CWE-611 injection attack when application parses untrusted XML with external entity references enabled - attacker can access local files, perform SSRF, cause DoS. Ranked A04 in OWASP Top 10 2017 (merged into A03:2021 Injection). Attack vectors: (1) File disclosure: Define external entity ]>, reference &xxe; in XML → server reads /etc/passwd and includes in response. (2) SSRF (Server-Side Request Forgery): Entity references internal service → bypass firewall, access cloud metadata (http://169.254.169.254/latest/meta-data/iam/security-credentials/). (3) Billion Laughs DoS: Recursive entity expansion repeated 9 levels → exponential memory consumption, server crash. (4) Out-of-band data exfiltration: Combine external DTD with parameter entities to send data to attacker server. Real-world impact: CVE-2018-1000613 (Jira XXE), CVE-2019-0227 (Apache Axis), Facebook XXE disclosure (2014). Prevention (2025 best practices): (1) Disable DTDs entirely (safest): Java (DocumentBuilderFactory): factory.setFeature('http://apache.org/xml/features/disallow-doctype-decl', true), Python (lxml): parser = etree.XMLParser(resolve_entities=False, no_network=True), .NET: XmlReaderSettings.DtdProcessing = DtdProcessing.Prohibit, PHP 8.0+ (libxml_disable_entity_loader deprecated - external entities disabled by default). (2) Disable external entities if DTDs required: Java: factory.setFeature('http://xml.org/sax/features/external-general-entities', false), Python (defusedxml library recommended over standard xml.etree). (3) Use less complex data formats: Prefer JSON over XML when possible (no entity expansion issues), use Protocol Buffers, MessagePack for binary data. (4) Input validation: Whitelist allowed XML structure, maximum document size (prevent DoS), schema validation (XSD). (5) Least privilege: XML parser runs with minimal file system permissions, network access restricted (no outbound connections). (6) Modern frameworks: Spring Boot (default XXE protection since 5.3.0), ASP.NET Core (safe defaults), Jackson XML (safe by default). Testing for XXE: Burp Suite (XXE detection), OWASP ZAP (active scanner), manual payload injection. Compliance: CWE-611 (Improper Restriction of XML External Entity Reference), OWASP Top 10 A03:2021 (Injection), PCI-DSS 6.5.1 (injection flaws).
Vulnerable and Outdated Components (A06:2021): Using libraries, frameworks, modules with known CVEs - extremely common attack vector. Problems: (1) Unknown inventory: Don't know what versions are deployed (frontend: package.json vs package-lock.json mismatch, backend: nested dependencies). (2) Outdated/unsupported software: Log4j 1.x (EOL 2015), Spring 4 (EOL 2020), Node.js 14 (EOL April 2023). (3) No vulnerability scanning: Not monitoring CVE/NVD for new exploits. (4) Delayed patching: Log4Shell (CVE-2021-44228) took months to patch at many orgs. (5) Component misconfiguration: Secure defaults not enabled (Elasticsearch exposed without auth). Real-world impact: Equifax breach (Apache Struts CVE-2017-5638), Log4Shell (millions affected), Spring4Shell (CVE-2022-22965). Prevention (2025 best practices): (1) Remove unused dependencies: npm prune --production, pip-autoremove, Maven dependency:tree. (2) Maintain SBOM (Software Bill of Materials): CycloneDX, SPDX formats - track all dependencies with versions. (3) Automated scanning: Dependabot (GitHub), Renovate, Snyk, npm audit, pip-audit, OWASP Dependency-Check. (4) CI/CD integration: Fail build if HIGH/CRITICAL CVEs detected (GitHub Advanced Security, GitLab Security Scanning). (5) Continuous monitoring: Subscribe to security advisories (GitHub Security Advisories, NVD Data Feeds). (6) Only use official sources: npm registry (not mirrors), PyPI, Maven Central - verify package signatures. (7) Version pinning: Lock files (package-lock.json, Pipfile.lock, Gemfile.lock) prevent unexpected updates. (8) Monitor unmaintained libraries: Detect abandoned packages (no commits >2 years, unpatched CVEs). SCA tools (2025): Snyk, Sonatype Nexus Lifecycle, WhiteSource, JFrog Xray, GitHub Dependabot, GitLab Security Dashboard. Supply chain attacks increasing: Compromised npm packages (colors, faker, ua-parser-js), malicious PyPI packages - verify before adding dependencies.
Authentication vs Authorization: Fundamental security concepts often confused but serve distinct purposes. Authentication (A07:2021): Verifying identity - answering 'WHO are you?'. Methods: (1) Something you know: Password, PIN, security questions (weakest alone). (2) Something you have: Hardware token, smartphone app (TOTP), smart card, email/SMS code. (3) Something you are: Biometrics (fingerprint, face recognition, iris scan). (4) Somewhere you are: Geolocation, IP address (supplementary). Multi-Factor Authentication (MFA): Combines 2+ methods from different categories (password + TOTP = strong authentication). Examples: Login with username/password proves you are '[email protected]', OAuth login with Google proves you own that Google account, mTLS certificate proves server identity. OWASP category: Identification and Authentication Failures (A07:2021) - broken authentication. Authorization (A01:2021): Verifying permissions - answering 'WHAT can you do?'. Happens AFTER authentication. Access control models: (1) Role-Based Access Control (RBAC): User assigned roles (admin, editor, viewer), roles have permissions (admin: delete users, editor: edit content, viewer: read only). Example: User 'alice' has role 'admin' → can access /admin/users endpoint. (2) Attribute-Based Access Control (ABAC): Permissions based on attributes (user department, resource owner, time of day, IP address). Example: Allow access if user.department == resource.department AND time >= 9am AND time <= 5pm. (3) Access Control Lists (ACL): Permissions attached to each resource. Example: Document 'report.pdf' allows ['alice', 'bob'] to read, ['alice'] to write. (4) Permission-based: Granular permissions (users.create, users.delete, posts.publish). Example: User has permission 'posts.publish' → can publish blog posts. OWASP category: Broken Access Control (A01:2021) - #1 risk, affects 94% of applications. Critical differences: Authentication: Happens ONCE at login (establishes session). Authorization: Checked on EVERY request (continuous verification). Authentication: Binary (you are authenticated or not). Authorization: Granular (different permissions for different resources). Common vulnerabilities: (1) Insecure Direct Object References (IDOR): Authenticated user accesses other users' data by changing ID. Example: GET /api/users/123/profile (attacker changes 123 to 456, accesses victim's profile). Broken authorization - no check if user 123 can access user 456's data. (2) Privilege escalation: Regular user accesses admin functionality. Example: POST /api/admin/delete-user (no check if user has admin role). (3) Missing function-level access control: Admin-only function exposed to all authenticated users. (4) Horizontal privilege escalation: User A accesses User B's resources (same privilege level). (5) Vertical privilege escalation: Regular user gains admin privileges. Best practices (2025): (1) Authenticate first, authorize every request: Never skip authorization checks after authentication. (2) Deny by default: Explicitly allow access, reject everything else. (3) Never trust client-side checks: Validate permissions server-side (client can be manipulated). (4) Use centralized authorization: Single point of enforcement (middleware, decorators, filters). Example: Express.js: requireAuth middleware (authentication), requireRole('admin') middleware (authorization). (5) Principle of least privilege: Grant minimum necessary permissions. (6) Separation of duties: Critical actions require multiple approvers. Framework implementations: Spring Security: @PreAuthorize('hasRole(ADMIN)'), Django: @login_required (auth), @permission_required('app.delete_user') (authz), ASP.NET Core: [Authorize(Roles = 'Admin')], Node.js Passport: passport.authenticate() (auth) + custom middleware (authz). Real-world examples: Facebook Cambridge Analytica (authorization failure - apps accessed excessive user data), Uber 2016 breach (authentication failure - stolen credentials), Capital One 2019 (authorization failure - SSRF + overprivileged IAM role). Testing: Authentication: Test credential validation, MFA bypass, session fixation, brute force. Authorization: Test IDOR, privilege escalation, missing access controls, horizontal/vertical access violations. Compliance: Authentication (A07:2021), Authorization (A01:2021), PCI-DSS (6.5.8 - access control, 8.x - authentication), SOC 2 CC6.1 (logical access controls).
A01 Broken Access Control (remains #1, 3.73% average detection rate across 40 CWEs), A02 Cryptographic Failures, A03 Software Supply Chain Failures (NEW - expands 2021's Vulnerable Components, covers dependencies, build systems, distribution), A04 Injection (includes SQL, NoSQL, OS command, XPath, ORM injection), A05 Insecure Design, A06 Security Misconfiguration, A07 Identification and Authentication Failures, A08 Software and Data Integrity Failures, A09 Security Logging and Monitoring Failures, A10 Mishandling of Exceptional Conditions (NEW - 24 CWEs for error handling, failing open, logical errors). OWASP Top 10:2025 RC1 released Nov 6, 2025, analyzing 2.8M+ applications across 589 CWEs (vs 400 in 2021). Final version expected 2026.
X-Frame-Options: HTTP response header controlling whether browser allows page to be displayed in ,