Top Web Vulnerabilities Analysis

A comprehensive security skill for identifying, testing, and remediating the most critical web application vulnerabilities based on OWASP Top 10 and real-world attack patterns.

When to Use

Choose Top Web Vulnerabilities when:

• Conducting web application security assessments against OWASP standards
• Training development teams on secure coding practices and common pitfalls
• Building vulnerability checklists for pre-deployment security reviews
• Performing structured penetration testing with documented methodology

Consider alternatives when:

• You need automated scanning without manual analysis — use a dedicated scanner like OWASP ZAP
• Focusing exclusively on API security — use an API-specific testing tool
• Working on mobile application security — use mobile-focused SAST/DAST tools

Quick Start

Copy
# Test for SQL injection on a parameter
sqlmap -u "https://target.com/search?q=test" --batch --level=3

# Check for XSS reflection points
echo '<script>alert(1)</script>' | hakrawler -u https://target.com -d 2

Copy
# Automated OWASP Top 10 check script
import requests
from urllib.parse import urljoin

class OWASPChecker:
    def __init__(self, base_url):
        self.base_url = base_url
        self.session = requests.Session()
        self.findings = []

    def check_injection(self, endpoint, param):
        """A01:2021 - Injection"""
        payloads = ["' OR '1'='1", "1; DROP TABLE users--", "{{7*7}}"]
        for payload in payloads:
            resp = self.session.get(
                urljoin(self.base_url, endpoint),
                params={param: payload}
            )
            if payload.replace("'", "") in resp.text or "49" in resp.text:
                self.findings.append({
                    "category": "A01-Injection",
                    "endpoint": endpoint,
                    "parameter": param,
                    "payload": payload,
                    "severity": "Critical"
                })

    def check_broken_auth(self, login_endpoint):
        """A07:2021 - Authentication Failures"""
        weak_creds = [
            ("admin", "admin"), ("admin", "password"),
            ("root", "root"), ("test", "test123")
        ]
        for user, pwd in weak_creds:
            resp = self.session.post(
                urljoin(self.base_url, login_endpoint),
                data={"username": user, "password": pwd}
            )
            if resp.status_code == 200 and "dashboard" in resp.url:
                self.findings.append({
                    "category": "A07-Auth-Failure",
                    "detail": f"Weak credentials accepted: {user}:{pwd}",
                    "severity": "High"
                })

    def check_security_headers(self):
        """A05:2021 - Security Misconfiguration"""
        resp = self.session.get(self.base_url)
        required_headers = {
            "Strict-Transport-Security": "HSTS missing",
            "X-Content-Type-Options": "MIME sniffing possible",
            "X-Frame-Options": "Clickjacking possible",
            "Content-Security-Policy": "No CSP policy"
        }
        for header, issue in required_headers.items():
            if header not in resp.headers:
                self.findings.append({
                    "category": "A05-Misconfiguration",
                    "detail": issue,
                    "severity": "Medium"
                })

    def generate_report(self):
        critical = [f for f in self.findings if f["severity"] == "Critical"]
        high = [f for f in self.findings if f["severity"] == "High"]
        print(f"Findings: {len(critical)} Critical, {len(high)} High, "
              f"{len(self.findings) - len(critical) - len(high)} Medium/Low")
        return self.findings

Core Concepts

OWASP Top 10 (2021) Categories

Rank	Category	Description	Test Approach
A01	Broken Access Control	Unauthorized access to resources	IDOR testing, privilege escalation
A02	Cryptographic Failures	Weak encryption, exposed secrets	SSL/TLS analysis, data exposure checks
A03	Injection	SQL, NoSQL, OS command, LDAP	Parameterized payload testing
A04	Insecure Design	Missing security controls by design	Threat modeling, architecture review
A05	Security Misconfiguration	Default configs, open cloud storage	Header checks, service enumeration
A06	Vulnerable Components	Outdated libraries with known CVEs	Dependency scanning, SCA tools
A07	Auth Failures	Weak passwords, session issues	Credential testing, session analysis
A08	Software Integrity	Untrusted updates, CI/CD exploits	Supply chain analysis
A09	Logging Failures	Missing audit trails	Log review, monitoring gaps
A10	SSRF	Server-side request forgery	Internal endpoint probing

Common Attack Vectors

Copy
# SSRF Detection (A10)
ssrf_payloads = [
    "http://169.254.169.254/latest/meta-data/",  # AWS metadata
    "http://127.0.0.1:8080/admin",                # Localhost bypass
    "http://[::1]/internal",                       # IPv6 localhost
    "file:///etc/passwd",                          # File protocol
]

def test_ssrf(target_url, param_name):
    for payload in ssrf_payloads:
        resp = requests.get(target_url, params={param_name: payload})
        if resp.status_code == 200 and len(resp.content) > 100:
            print(f"[!] Potential SSRF: {param_name}={payload}")
            print(f"    Response length: {len(resp.content)}")

Configuration

Option	Description	Default
scan_depth	How many levels deep to test endpoints	3
test_categories	OWASP categories to include	["A01","A03","A05","A07"]
max_payloads	Maximum payloads per parameter	50
timeout	Request timeout in seconds	10
follow_redirects	Follow HTTP redirects during testing	true
auth_token	Bearer token for authenticated testing	""
exclude_paths	URL paths to skip during testing	["/logout","/delete"]
report_format	Output format for findings	"json"

Best Practices

1. Always get written authorization before testing any web application — unauthorized testing is illegal regardless of intent, and having a signed scope document protects both parties
2. Test in a staging environment first to avoid disrupting production services; if production testing is required, schedule it during low-traffic windows with the operations team informed
3. Document every finding with reproduction steps including exact URLs, parameters, payloads used, and screenshots — vague reports lead to unfixed vulnerabilities
4. Prioritize findings by business impact rather than just technical severity; a medium-severity vulnerability on a payment endpoint matters more than a critical one on a static marketing page
5. Verify remediations independently after the development team applies fixes — run the same test cases again to confirm the vulnerability is actually resolved, not just masked

Common Issues

False positives from WAF interference: Web application firewalls can block test payloads, making it appear the application is secure when the underlying code is still vulnerable. Test from an allowlisted IP address or temporarily adjust WAF rules during the assessment window to get accurate results.

Incomplete scope coverage: Large applications have hundreds of endpoints and parameters. Use automated crawling with tools like Burp Spider or OWASP ZAP crawler first to build a complete sitemap, then focus manual testing on high-value targets like authentication, payment, and administrative functions.

Missing server-side vulnerabilities: Client-side testing alone misses business logic flaws, race conditions, and backend validation bypasses. Supplement automated scanning with manual testing that includes modifying request bodies, headers, and cookies directly through an intercepting proxy.