### MkDocs Configuration Example Source: https://github.com/owasp/top10/blob/master/CONTRIBUTING.md Example of an MkDocs configuration file for a new version of the OWASP Top 10. This includes site name, URL, and other settings. ```yaml site_name: OWASP Top 10:2028 site_url: https://owasp.org/Top10/2028/ # ... rest of configuration ``` -------------------------------- ### Install Python Requirements Source: https://github.com/owasp/top10/blob/master/CONTRIBUTING.md Run this command once to set up the necessary Python dependencies for building the project. ```bash make install-python-requirements ``` -------------------------------- ### Secure Account Recovery with Time-based OTP Source: https://context7.com/owasp/top10/llms.txt Implement time-based One-Time Passwords (TOTP) for secure account recovery, avoiding insecure knowledge-based questions. This example uses the `pyotp` library. ```python # INSECURE DESIGN: knowledge-based account recovery (NIST 800-63b prohibited) # "What is your mother's maiden name?" — attackable via social media # SECURE DESIGN: time-based OTP via authenticator app import pyotp secret = pyotp.random_base32() # Store per-user during registration totp = pyotp.TOTP(secret) # Verify during recovery: if not totp.verify(user_provided_otp, valid_window=1): raise AuthenticationError("Invalid OTP") ``` -------------------------------- ### Security Misconfiguration: Secure HTTP Headers Source: https://context7.com/owasp/top10/llms.txt Provides examples of essential HTTP security headers that should be configured to protect against various web vulnerabilities. ```http Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Content-Security-Policy: default-src 'self' X-Content-Type-Options: nosniff X-Frame-Options: DENY Referrer-Policy: no-referrer ``` -------------------------------- ### Secure Structured Logging with Context and Alerting Source: https://context7.com/owasp/top10/llms.txt Implement structured logging with context, avoiding secrets and setting alerting thresholds. This example logs security events with relevant details and includes logic for detecting and responding to brute-force attacks. ```python import logging, json from datetime import datetime logger = logging.getLogger("security") handler = logging.StreamHandler() handler.setFormatter(logging.Formatter('%(message)s')) logger.addHandler(handler) def log_security_event(event_type, user_id, ip, success, details=None): logger.warning(json.dumps({ "timestamp": datetime.utcnow().isoformat(), "event_type": event_type, "user_id": user_id, # ID, not username/password "source_ip": ip, "success": success, "details": details # Never include passwords or PII })) # Track and alert on repeated failures (credential stuffing detection) FAILED_LOGIN_THRESHOLD = 10 failed_attempts = redis.incr(f"failed_login:{ip_address}") redis.expire(f"failed_login:{ip_address}", 300) # 5-minute window if failed_attempts >= FAILED_LOGIN_THRESHOLD: log_security_event("brute_force_detected", None, ip_address, False, {"attempts": failed_attempts}) send_alert_to_soc("Brute force detected", ip_address) block_ip_temporarily(ip_address) ``` -------------------------------- ### Broken Access Control: Front-end Bypass Example Source: https://context7.com/owasp/top10/llms.txt Illustrates bypassing front-end access controls using a tool like curl, indicating that authorization checks must be performed on the server. ```bash curl https://example.com/app/admin_getappInfo # Returns 200 OK with admin data — server never checked authorization ``` -------------------------------- ### Enforcing Business Logic Constraints for Bookings Source: https://context7.com/owasp/top10/llms.txt Prevent abuse by enforcing business logic constraints server-side. This example demonstrates limiting the number of seats per booking to prevent resource exhaustion. ```python # INSECURE DESIGN: group booking allows arbitrary seat reservation # No check on total seats per session → attacker books 600 seats POST /bookings body: {"seats": 600, "session_id": "abc123"} # SECURE DESIGN: business logic constraint enforced server-side MAX_SEATS_PER_BOOKING = 15 if request.seats > MAX_SEATS_PER_BOOKING: return 400, {"error": "Maximum 15 seats per booking"} # Also: validate available inventory atomically with a DB transaction ``` -------------------------------- ### Secure Password Comparison and Rate Limiting Source: https://context7.com/owasp/top10/llms.txt Use bcrypt for secure password comparison and Flask-Limiter for rate limiting to prevent brute-force attacks. This example also shows how to prevent username enumeration by providing a consistent response for invalid credentials. ```python from bcrypt import checkpw from flask_limiter import Limiter limiter = Limiter(app, key_func=get_remote_address) @app.route("/login", methods=["POST"]) @limiter.limit("5 per minute") # Rate-limit to prevent brute force def login(): user = User.query.filter_by(username=request.form["username"]).first() # Same response for missing user and wrong password (prevents enumeration) if not user or not checkpw(request.form["password"].encode(), user.password_hash): return {"error": "Invalid username or password"}, 401 # Generate new session ID after login (prevents session fixation, CWE-384) session.regenerate() return {"token": generate_secure_session_token()}, 200 ``` -------------------------------- ### Broken Access Control: Insecure Direct Object Reference Example Source: https://context7.com/owasp/top10/llms.txt Demonstrates an attacker changing their own account ID to access another user's data. This highlights the need for server-side authorization checks. ```http GET /app/accountInfo?acct=notmyacct HTTP/1.1 Host: example.com ``` -------------------------------- ### URL for Account Information Access Source: https://github.com/owasp/top10/blob/master/osib/docs/A01_2021-Broken_Access_Control.md This is an example of a URL that an attacker might use to attempt to access account information. If the 'acct' parameter is not properly validated on the server-side, an attacker could potentially view any user's account details. ```url https://example.com/app/accountInfo?acct=notmyacct ``` -------------------------------- ### Build and Serve Commands Source: https://github.com/owasp/top10/blob/master/REORGANIZATION-2025.md Commands for building and serving the 2021 and 2025 versions of the OWASP Top 10 site locally. ```bash # Build only 2021 make build-2021 # Build only 2025 make build-2025 # Build and serve both versions together (port 8000) make serve # Serve individual versions with live-reload make serve-2021 # Port 8000 make serve-2025 # Port 8001 ``` -------------------------------- ### Security Misconfiguration: Default Admin Credentials Attack Source: https://context7.com/owasp/top10/llms.txt An example of attacking a web application using default administrative credentials. This highlights the risk of not changing default passwords. ```bash curl -X POST https://example.com/admin/login \ -d "username=admin&password=admin" # Returns 200 OK with admin session token ``` -------------------------------- ### Deploy to GitHub Pages Source: https://github.com/owasp/top10/blob/master/CONTRIBUTING.md Builds all versions of the OWASP Top 10 site and deploys them to the `gh-pages` branch, making them live on GitHub Pages. ```bash make publish ``` -------------------------------- ### Broken Access Control: Forced Browsing Example Source: https://context7.com/owasp/top10/llms.txt Shows an unauthenticated user attempting to access a restricted admin endpoint. This requires server-side validation to prevent unauthorized access. ```http GET /app/admin_getappInfo HTTP/1.1 Host: example.com ``` -------------------------------- ### Build and Serve Both Versions Source: https://github.com/owasp/top10/blob/master/CONTRIBUTING.md Builds and serves both the 2021 and 2025 versions of the OWASP Top 10 site locally on port 8000. Useful for development and testing. ```bash make all # Install dependencies and build both sites make build-all # Just build both sites make serve # Builds and serves both versions on port 8000 ``` -------------------------------- ### Build Individual Versions for Production Source: https://github.com/owasp/top10/blob/master/CONTRIBUTING.md Builds a specific version of the OWASP Top 10 site into its respective output directory. Use for generating production-ready static sites. ```bash make build-2021 # Builds to build/2021/ make build-2025 # Builds to build/2025/ ``` -------------------------------- ### Preventing SQL Injection with Parameterized Queries Source: https://context7.com/owasp/top10/llms.txt Use parameterized queries to prevent SQL injection. This example shows a vulnerable string concatenation approach and a secure prepared statement. ```java // VULNERABLE: SQL injection via string concatenation (CWE-89) String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; // Attacker input: ' OR '1'='1 → returns all rows // VULNERABLE: ORM injection via HQL (CWE-564) Query hql = session.createQuery( "FROM accounts WHERE custID='" + request.getParameter("id") + "'" ); // Attacker: ' OR custID IS NOT NULL OR custID=' → bypasses filter // VULNERABLE: OS command injection (CWE-78) String cmd = "nslookup " + request.getParameter("domain"); Runtime.getRuntime().exec(cmd); // Attacker: example.com; cat /etc/passwd // SECURE: parameterized query (prevents SQL injection) PreparedStatement ps = conn.prepareStatement( "SELECT * FROM accounts WHERE custID = ?" ); ps.setString(1, request.getParameter("id")); ResultSet rs = ps.executeQuery(); // SECURE: JPA named parameters (prevents ORM injection) TypedQuery q = em.createQuery( "FROM Account a WHERE a.custID = :custId", Account.class ); q.setParameter("custId", request.getParameter("id")); // SECURE: avoid OS commands; use library instead InetAddress addr = InetAddress.getByName(validatedDomain); // No shell ``` -------------------------------- ### Example SQL Injection Attack URL Source: https://github.com/owasp/top10/blob/master/osib/docs/A03_2021-Injection.md This URL demonstrates how an attacker might modify a parameter to exploit a SQL injection vulnerability, aiming to alter the query's logic. ```http http://example.com/app/accountView?id=' UNION SELECT SLEEP(10);-- ``` -------------------------------- ### Create New Version Directory Structure Source: https://github.com/owasp/top10/blob/master/CONTRIBUTING.md Command to create the basic directory structure for a new version of the OWASP Top 10 site. ```bash mkdir -p 2028/docs/en/ ``` -------------------------------- ### Build Both Versions Command Source: https://github.com/owasp/top10/blob/master/REORGANIZATION-2025.md Commands to build both the 2021 and 2025 sites, including the generation of necessary redirects. ```bash # Build both sites with redirects make build-all # Or use the script directly ./scripts/build-all.sh ``` -------------------------------- ### Serve Project with Custom Port Source: https://github.com/owasp/top10/blob/master/CONTRIBUTING.md If the default serve port is already in use, use this command to specify an alternative port. Alternatively, manually stop the process occupying the port. ```bash make serve-2021 port=8080 ``` -------------------------------- ### Insecure Logging of Sensitive Data Source: https://context7.com/owasp/top10/llms.txt Avoid logging sensitive information such as passwords or personally identifiable information (PII). This example demonstrates an insecure practice of logging failed login attempts with sensitive details. ```python # INSECURE: logging sensitive data (CWE-532) and no alert on failed logins print(f"Login failed for user {username} with password {password}") # PII + secret in log ``` -------------------------------- ### Serve Specific Version with Live Reload Source: https://github.com/owasp/top10/blob/master/CONTRIBUTING.md Serves a specific version of the OWASP Top 10 site with live-reload enabled for rapid development. Each version is served on a different port. ```bash make serve-2021 # Serve 2021 version on port 8000 make serve-2025 # Serve 2025 version on port 8001 ``` -------------------------------- ### Directory Structure for OWASP Top 10 Source: https://github.com/owasp/top10/blob/master/REORGANIZATION-2025.md Illustrates the organization of project files for both 2021 and 2025 versions, including documentation, assets, and configuration files. ```tree /2021/ ├── docs/ │ ├── en/ │ │ ├── A01_2021-*.md # 2021 content only │ │ └── index.md │ └── assets/ # 2021 assets only └── mkdocs.yml # 2021-only config /2025/ ├── docs/ │ ├── en/ │ │ ├── 0x00_2025-*.md # 2025 content │ │ ├── A01_2025-*.md │ │ └── index.md │ └── assets/ │ ├── 2025-*.png # 2025 assets │ └── css/RC-stylesheet.css # 2025 CSS └── mkdocs.yml # 2025-only config /scripts/ ├── build-all.sh # Build orchestration ├── generate-redirects.sh # Redirect generation └── index-redirect.html # Root redirect template ``` -------------------------------- ### Verify Artifact Signatures (npm Provenance) Source: https://context7.com/owasp/top10/llms.txt Verify package registry signatures using `npm audit signatures` to ensure the integrity and authenticity of installed packages. This helps prevent the use of tampered artifacts. ```bash # Prevention: verify artifact signatures before use (npm provenance) npm install --prefer-dedupe npm audit signatures # Verify package registry signatures ``` -------------------------------- ### Security Misconfiguration: Public S3 Bucket Attack Source: https://context7.com/owasp/top10/llms.txt An example of an attack targeting an S3 bucket with public read access, potentially exposing sensitive documents. Cloud storage permissions must be strictly configured. ```bash curl https://my-company-bucket.s3.amazonaws.com/ # Returns full bucket listing with sensitive documents ``` -------------------------------- ### Generate Software Bill of Materials (SBOM) Source: https://context7.com/owasp/top10/llms.txt Generate a Software Bill of Materials (SBOM) using CycloneDX to list all direct and transitive dependencies with their versions. This helps in tracking and managing software components. ```bash # Generate Software Bill of Materials (SBOM) with CycloneDX npm install -g @cyclonedx/cyclonedx-npm cyclonedx-npm --output-file sbom.json # Produces SBOM listing all direct + transitive dependencies with versions ``` -------------------------------- ### Elasticsearch Query for Suspicious Activity Source: https://context7.com/owasp/top10/llms.txt An example Elasticsearch query to find suspicious activity, specifically identifying IPs with multiple failed logins within a recent time window. This query is useful for detecting brute-force attempts. ```json { "query": { "bool": { "must": [ {"term": {"event_type": "login_failed"}}, {"range": {"timestamp": {"gte": "now-5m"}}} ] } }, "aggs": {"by_ip": {"terms": {"field": "source_ip", "min_doc_count": 10}}} } ```