OWASP Top 10 and beyond — attack and defend modern web applications.
OWASP Top 10 (2021):
1. Broken Access Control — IDOR, missing auth checks, privilege escalation
2. Cryptographic Failures — weak algorithms, unencrypted data, improper key management
3. Injection — SQL, NoSQL, LDAP, OS command, SSTI
4. Insecure Design — missing threat modelling, unsafe business logic
5. Security Misconfiguration — default creds, unnecessary features enabled, verbose errors
6. Vulnerable & Outdated Components — unpatched libraries, SCA tools
7. Identification & Auth Failures — weak passwords, no MFA, session fixation
8. SSRF — abuse of server-side HTTP requests to internal services
9. Security Logging Failures — no audit trails, inadequate monitoring
10. Injection (client-side) — XSS, stored/reflected/DOM-based
Burp Suite workflow:
- Intercepting proxy — modify requests in-flight
- Scanner — automated vulnerability detection
- Repeater — manual request replay and modification
- Intruder — fuzzing and brute force
- Collaborator — out-of-band interaction detection
Common techniques:
- SQLi: UNION-based, blind (boolean/time), error-based, sqlmap
- XSS: reflected, stored, DOM, CSP bypass
- CSRF: token bypass, SameSite analysis
- SSRF: cloud metadata (169.254.169.254), internal port scan
- XXE: file read, SSRF via XML, OOB exfil
1. Broken Access Control — IDOR, missing auth checks, privilege escalation
2. Cryptographic Failures — weak algorithms, unencrypted data, improper key management
3. Injection — SQL, NoSQL, LDAP, OS command, SSTI
4. Insecure Design — missing threat modelling, unsafe business logic
5. Security Misconfiguration — default creds, unnecessary features enabled, verbose errors
6. Vulnerable & Outdated Components — unpatched libraries, SCA tools
7. Identification & Auth Failures — weak passwords, no MFA, session fixation
8. SSRF — abuse of server-side HTTP requests to internal services
9. Security Logging Failures — no audit trails, inadequate monitoring
10. Injection (client-side) — XSS, stored/reflected/DOM-based
Burp Suite workflow:
- Intercepting proxy — modify requests in-flight
- Scanner — automated vulnerability detection
- Repeater — manual request replay and modification
- Intruder — fuzzing and brute force
- Collaborator — out-of-band interaction detection
Common techniques:
- SQLi: UNION-based, blind (boolean/time), error-based, sqlmap
- XSS: reflected, stored, DOM, CSP bypass
- CSRF: token bypass, SameSite analysis
- SSRF: cloud metadata (169.254.169.254), internal port scan
- XXE: file read, SSRF via XML, OOB exfil