liminfo

OWASP Top 10 Reference

Free reference guide: OWASP Top 10 Reference

25 results

About OWASP Top 10 Reference

The OWASP Top 10 Reference is a searchable security guide covering the most critical web application vulnerabilities. It includes injection attacks (SQL, blind SQL, command, LDAP, NoSQL), authentication flaws (brute force, session fixation, credential stuffing, JWT misconfiguration), XSS variants (reflected, stored, DOM-based, filter bypass), IDOR patterns, security misconfigurations (missing headers, debug mode, default credentials, CORS), and vulnerable components (dependencies, supply chain, SSRF, CSRF).

Designed for security engineers, penetration testers, and web developers, each entry shows the attack vector with real exploit examples alongside concrete mitigation code in JavaScript, Python, and configuration snippets.

All 26 entries are organized into six categories -- Injection, Authentication, XSS, IDOR, Misconfiguration, and Components -- making it fast to find specific vulnerabilities during security audits, code reviews, or CTF competitions.

Key Features

  • SQL injection variants: classic, blind (boolean and time-based), and NoSQL injection with mitigation code
  • XSS attack reference: reflected, stored, DOM-based, and filter bypass payloads with CSP defenses
  • Authentication attack patterns: brute force, session fixation, credential stuffing, and JWT exploits
  • IDOR vulnerability examples in REST APIs with proper server-side authorization fixes
  • Security header checklist: HSTS, CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy
  • Supply chain attack awareness: typosquatting, dependency auditing tools (npm audit, Snyk, pip-audit)
  • SSRF and CSRF attack mechanics with defense strategies (URL whitelisting, CSRF tokens, SameSite cookies)
  • Searchable across all categories with instant keyword filtering for quick vulnerability lookup

Frequently Asked Questions

What vulnerabilities does this OWASP reference cover?

It covers injection attacks (SQL, blind SQL, command, LDAP, NoSQL), authentication flaws (brute force, session fixation, credential stuffing, JWT misconfiguration), all XSS types (reflected, stored, DOM-based, filter bypass), IDOR patterns, security misconfigurations (missing headers, debug mode, default credentials, CORS), and vulnerable components (dependency vulnerabilities, supply chain attacks, SSRF, CSRF).

Does this reference include both attack and defense examples?

Yes. Each entry shows the attack vector with an exploit example, followed by concrete mitigation strategies. For example, SQL injection entries include both the malicious input payload and the parameterized query fix using prepared statements.

What is the difference between reflected, stored, and DOM-based XSS?

Reflected XSS injects a script via URL parameters that is immediately reflected in the response. Stored XSS saves the malicious script in the database (e.g., in a comment) and executes it when other users view the content. DOM-based XSS manipulates the client-side DOM directly without server involvement, typically through innerHTML assignments.

How do I prevent SQL injection?

Use parameterized queries (prepared statements) instead of string concatenation. For example, use "db.prepare('SELECT * FROM users WHERE name = ?')" and pass user input as a parameter. Additionally, implement input validation, use WAF rules, and apply the principle of least privilege for database accounts.

What security headers should every web application have?

At minimum: Strict-Transport-Security (HSTS) to enforce HTTPS, Content-Security-Policy (CSP) to prevent XSS, X-Content-Type-Options: nosniff to prevent MIME sniffing, X-Frame-Options: DENY to prevent clickjacking, and Referrer-Policy: strict-origin to control referrer leakage.

How does CSRF protection work?

CSRF is prevented by requiring a unique, server-generated token in every state-changing request (POST, PUT, DELETE). The server validates the token before processing the request. Additionally, setting the SameSite attribute on cookies (Lax or Strict) prevents browsers from sending cookies with cross-origin requests.

How can I detect vulnerable dependencies in my project?

Use tools like npm audit (Node.js), pip-audit or safety check (Python), and Snyk for multi-language scanning. Enable GitHub Dependabot for automated vulnerability alerts. Always use lock files (package-lock.json, poetry.lock) and consider running an internal package registry.

Is this OWASP Top 10 reference free?

Yes, completely free with no account or download required. All content loads in your browser with zero server interaction. It is part of liminfo.com's collection of free security and developer tools.