OWASP Top 10 for Web

Empower your team with OWASP Top 10 and secure code training. Strengthen your web applications' defenses and minimize vulnerabilities effectively.


Clickjacking or User Interface Redressing is a class of attacks that overlay a legitimate decoy user interface over a hidden application, and then trick an unsuspecting user into clicking a button or link in the UI they see, thereby performing an unwanted action in the hidden application. The most common clickjacking attack uses invisible iframes and prevention is often based on restricting the framing capability for websites.

Command Injection

Code Injection is a general type of attack that injects code that is then interpreted or executed by the application, usually due to missing or insufficient input validation. Command Injection more specifically refers to the injection of operating system commands, which often allow attackers to compromise the whole application, take full control of the server, and even attack other systems within the organization.

Components with Known Vulnerabilities

Some vulnerable components (e.g., framework libraries) can be identified and exploited with automated tools, expanding the threat agent pool beyond targeted attackers to include chaotic actors.

Cross-Site Request Forgery

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.

Directory Traversal

Directory traversal is a type of attack that is used to gain unauthorized access to restricted directories and files. It exploits how vulnerable web applications construct file paths when serving assets, in order to navigate through the directory structure of the server running the application. An attacker might be able to read sensitive configuration files, access credentials for backend systems, and even gather enough information to take control of the server.


DOM Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client-side script so that the client-side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client-side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.

Forced Browsing

Forced Browsing or Directory Enumeration is an attack technique used to gain access to restricted pages or other sensitive resources in a web server by forcing or guessing the URL directly. If the restricted URLs, scripts, or files are not enforced with appropriate authorization, these resources can be vulnerable to forced browsing attacks, allowing an attacker to access restricted files and view sensitive information.

Horizontal Privilege Escalation

Access control refers to constraints on who can perform what actions or access which resources. Horizontal access control restricts access to functionality or resources of the same type, such as account information. Horizontal privilege escalation vulnerabilities occur when a malicious user can gain access to functionality or resources belonging to another user. If the compromised user belongs to another privileged group, this can further lead to Vertical Privilege Escalation.

Host Header Injection

Host header attacks are a type of injection vulnerability whereby an attacker can set the HTTP “Host” header value to an attacker-controlled domain name. Should a web application use this HTTP “Host” header values, for example to generate “password reset” links, an attacker can alter the reset token URI to redirect the user to a malicious site and further leak their token.

Insecure URL Redirect

Insecure URL redirects or Unvalidated redirects are web attacks that cause the web application to redirect or forward an unsuspecting user to a malicious domain controlled by an attacker. These vulnerabilities commonly occur when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within the untrusted input. By modifying the URL parameter input to a malicious site, a potential attacker can trigger a redirection to an arbitrary external domain and further facilitate phishing attacks against the users of the application.

Leftover Debug Code

Leftover debug comments or code can provide entry points for attackers to gain access through functionality that was specifically designed for debugging or testing purposes and was not intended to be deployed with the application. Forgetting to remove these back doors creates serious security risks, as they often provide ways to bypass access controls.

Personally Identifiable Data in URL

Sensitive information exposure through URLs occurs when data such as Personally Identifiable Information (PII), usernames, credit card numbers, passwords, session tokens, and any other potentially sensitive data is passed via HTTP GET parameters. This can result in sensitive data being exposed logged by an application server e.g. web server logs, proxy logs or third-party analytics and monitoring applications and increase the likelihood of information being exposed to malicious actors.

Reflected Cross Site Scripting

Reflected Cross-site Scripting (XSS) is a client-side code injection vulnerability that allows malicious JavaScript payloads to be injected within a user-supplied input, which is then reflected back within the web server’s response and executed on the client-side by the victim’s web browser. Since the entire attack is completed in a single request and response, it is known as a Reflected Cross-site Scripting vulnerability.

Server Side Request Forgery

In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed.

Session Fixation

Session Fixation is a type of attack on web application users where an attacker is able to trick a victim into using a Session ID which is previously known to the attacker. If the application fails to generate a new session ID every time a user authenticates, an attacker can obtain a valid session and then trick an unsuspecting user into authenticating with the attacker’s session ID, thereby allowing the attacker to impersonation as an authenticated user.

SQL Injection

SQL Injection is a type of code injection vulnerability that allows an attacker to interfere with the queries an application makes to its database. By injecting malicious SQL code, an attacker can read database content and thus gain access to sensitive information, modify or delete data, and in some cases execute administrative operations on the backed SQL server.

Stored Cross Site Scripting

Stored or Persistent Cross-site Scripting (XSS) occurs when the user-supplied input is stored on a web application and then rendered within a web page. Typical entry points are blog comments and user profiles. An attacker typically exploits this vulnerability by injecting XSS payloads on popular pages of a web application or by passing a link to a victim, tricking them into viewing the page that contains the stored XSS payload. When the victim visits the page, the payload is executed client-side by the victim’s web browser.

Token Exposure in URL

Exposed session tokens are a common and often overlooked security vulnerability caused when a user session id, API token or sensitive session data is included in a GET request. This can result in sensitive session data being exposed or logged by an application server e.g. web server logs, proxy logs or third-party analytics and monitoring applications and further increase the likelihood of session information being exposed to malicious actors.

Use of Insufficiently Random Values

Vulnerabilities associated with weak or insufficient randomness occur when an application generates predictable values in a context requiring unpredictability. This includes cryptographically weak tokens, predictable session cookies or incremental identifiers. The possibility to predict valid values can allow attackers to infer sensitive information or even impersonate other users.

User Enumeration

Username Enumeration or credential harvesting refers to a type of attack that gives a malicious actor the ability to determine and enumerate the presence of a username within a specific application and further automates the process of identifying multiple valid usernames. Brute-force techniques are often used to either guess user information, or confirm previously guessed information. It’s usually web applications that are most vulnerable to this kind of attack, although in truth user enumeration vulnerabilities can arise in any system that requires user authentication.

Vertical Privilege Escalation

Access control refers to constraints on who can perform what actions or access which resources. Vertical access control restricts access to sensitive functionality to particular user types, for example allowing only administrators to access an admin page. Vertical privilege escalation happens when sensitive parts of the application are not sufficiently protected and a user can thus gain access to functionality or resources they are not permitted to access.

XML Entity Injection

XML External Entity (XXE) Injection is an attack targeting applications that transmit data between browser and server in XML format. By intercepting and modifying the data, an attacker can exploit potentially dangerous features of standard XML libraries, such as the parsing and loading of external entities, in order to gain access to the server’s filesystem or to interact with backend systems that the application has access to.

Ready to get started?

Experience the full Kontra platform and see what it can do for you and your team.

Get Your Free Trial

Let’s Talk

Download Syllabus

Apprenticeship Program

Apprenticeship Program

Let’s Talk

This is the heading

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Access our Free OWASP Top 10 for Web

Enter your information below to join our referral program and gain FREE access for 14 days

Follow the steps below to get FREE access to our OWASP top 10 for Web course for 14 days

  1. Simply copy the LinkedIn message below
  2. Post the message on your LinkedIn profile
  3. We will contact you as soon as possible on LinkedIn and send you an invite to access our OWASP Top 10 for Web course


Make sure you confirm the tag @ThriveDX Enterprise after pasting the text below in your LinkedIn to avoid delays in getting access to the course.

Ready to Share?

Take me to now >

Contact ThriveDX Partnerships

[forminator_form id=”10629″]
Skip to content