Cyber Security
OWASP for Web and Mobile
Embedded Files
Lecture 03: OWASP for Web & Mobile
Lecture 03: OWASP for Web & Mobile
What Is OWASP?
What Is OWASP?
OWASP was founded in 2001 as an open-source initiative to improve software security.
🔹 It started as a small community project to document common web vulnerabilities.
🔹 Over time, it became a global nonprofit organization known for its standards like the OWASP Top 10, ASVS, and tools like ZAP.
The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to web application security. One of OWASP’s core principles is that all of their materials be freely available and easily accessible on their website, making it possible for anyone to improve their own web application security. The materials they offer include documentation, tools, videos, and forums. Perhaps their best-known project is the OWASP Top 10.
Top 10 Vulnerabilities For Web
Top 10 Vulnerabilities For Web
The OWASP Top 10 is a regularly-updated report outlining security concerns for web application security, focusing on the 10 most critical risks. The report is put together by a team of security experts from all over the world. OWASP refers to the Top 10 as an ‘awareness document’ and they recommend that all companies incorporate the report into their processes in order to minimize and/or mitigate security risks.
01-Broken Access control
Failures in enforcing user permissions, leading to unauthorized data or action access
Tools:
Burp suite
ZAP
Postman
Practices:
RBAC(Role based access control)
GateKeeper design pattern
02- Cryptographic Failure
Weak or missing encryption, poor key management, deprecated algorithms
Practices:
Encryption
Hashing
Key rotation
TLS 1.2+, AES-256, Vault, HSM
Encrypt in transit and at rest
Sample:
Sensitive Data stored in plaintext in DB
Pen Tools:
testssl.sh
CrackStation
03- Injection
Untrusted input executed as code or queries
Types:
XSS: Cross-site scripting
SQL Injection
Pen Tools:
SQLmap
NoSQLMap
Burp Exts
Defense tools:
WAF
ORM
Prepared statements
04- Insecure design
Lack of security-focused architecture planning, threat modeling gaps
Examples:
No limit on failed login attempts (no brute-force protection)
Storing sensitive data without encryption by design
Not applying least privilege in user roles
Relying only on client-side validation
No threat modeling done in the design phase
Pen Tools:
ThreatModeler,
OWASP Threat
Dragon
05- Security Misconfiguration
Default settings, exposure, or misconfigured servers/apis
06- Using components with known vulnerabilities
Use of unpatched libraries or third‑party modules
07- Identification and authorization failure
Weak login, session management, or credential handling
08- Software and data integrity failure
Unsafe update paths, unverified data inputs (incl. CI/CD pipelines)
09- Security Logging and monitoring failure
Inadequate logging/alerting leads to delayed detection
10- Server-side request forgery
Server tricked into making unintended requests
Top 10 Vulnerabilities For Mobile
Top 10 Vulnerabilities For Mobile
01- Improper Credential Usage
Storing or handling passwords, tokens insecurely
Hardcoded API keys or storing tokens in SharedPreferences (Android)
Use secure keystore/keychain; never hardcode credentials
02- Inadequate Supply Chain Security
Using vulnerable libraries or compromised SDKs
App includes a 3rd-party SDK that leaks location data
Use SBOM, verify dependencies, pin versions, scan with SCA tools
03- Insecure Authentication/Authorization
Weak login, session or access control mechanisms
No lockout on failed login; insecure token validation
Use OAuth 2.0/OIDC, MFA, rate limits, token expiry
04- Insufficient Input/Output Validation
No validation on inputs or outputs; allows injection attacks
App accepts raw user input into SQL query
Sanitize/validate all inputs, escape outputs
05- Insecure Communication
Data transmitted over unprotected channels
Sending login over HTTP instead of HTTPS
Enforce HTTPS, validate TLS certs, use SSL pinning
06- Inadequate Privacy Controls
Leaks personal or sensitive user info without consent
App accesses microphone/location without informing user
Follow platform privacy APIs, get explicit user consent
07- Insufficient Binary Protections
Easy to reverse engineer and modify the app
APK decompiled to extract API keys or disable checks
Use code obfuscation, root/jailbreak detection, integrity checks
08- Security Misconfiguration
Insecure default settings, open debug endpoints
Debug flag enabled in production app
Disable debug mode, secure manifest, validate configs
M9
09- Insecure Data Storage
Sensitive data stored insecurely on device
Credit card info saved in plain text on device
Use platform keystore/encrypted storage APIs
10 Insufficient Cryptography
Weak encryption or misuse of crypto libraries
Using MD5 for password hashing
Use AES-256 for encryption, PBKDF2/bcrypt/Argon2 for hashing
Dr. Ghoniem Lawaty
Tech Evangelist @TechHuB Egypt
Page updated
Google Sites
Report abuse